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Abstract 

This paper is concerned with Freeze LTL, a temporal logic on data words 
with registers. In a (multi-attributed) data word each position carries a 
letter from a finite alphabet and assigns a data value to a fixed, finite set of 
attributes. The satisfiability problem of Freeze LTL is undecidable if more 
than one register is available or tuples of data values can be stored and 
compared arbitrarily. Starting from the decidable one-register fragment we 
propose an extension that allows for specifying a dependency relation on 
attributes. This restricts in a flexible way how collections of attribute values 
can be stored and compared. This conceptual dimension is orthogonal 
to the number of registers or the available temporal operators. The 
extension is strict. Admitting arbitrary dependency relations, satisfiability 
becomes undecidable. Tree-like relations, however, induce a family of 
decidable fragments escalating the ordinal-indexed hierarchy of fast-growing 
complexity classes, a recently introduced framework for non-primitive 
recursive complexities. This results in completeness for the class . We 
employ nested counter systems and show that they relate to the hierarchy 
in terms of the nesting depth. 


1 Introduction 

A central aspect in modern programming languages and software architectures 
is dynamic and unbounded creation of entities. In particular object oriented 
designs rely on instantiation of objects on demand and flexible multi-threaded 
execution. Finite abstractions can hardly reflect these dynamics and therefore 
inhnite models are very valuable for specification and analysis. This motivates 
us to study the theoretical framework of words over infinite alphabets. It allows 
for abstracting, e.g., the internal structure and state of particular objects or 
processes while still being able to capture the architectural design in terms of 
interaction and relations between dynamically instantiated program parts. 

These data words, as we consider them here, are finite, non-empty sequences 
w = (oi, di)(a2, d2). .. (o„, d„) where the z-th position carries a letter at from 
a finite alphabet S. Additionally, for a fixed, finite set of attributes A a data 
valuation d^ : A —)■ A assigns to each attribute a data value from an infinite 
domain A with equality. 

This is a free and extended version of an article published in the proceedings of FoSSaCS 2016. 
The work was partially supported by EGIDE/DAAD-Procope (FREQS). 
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Freeze LTL. In formal verification, temporal logics are widely used for for¬ 
mulating behavioural specifications and, regarding data, the concept of storing 
values in registers for comparison at different points in time is very natural. This 
paper is therefore concerned with the logic Freeze LTL [DLN05] that extends 
classical Linear-time Temporal Logic (LTL) by registers and was extensively 
studied during the past decade. Since the satisfiability problem of Freeze LTL 
is undecidable in general, we specifically consider the decidable fragment LTL^ 
[DL09] that is restricted to a single register and future-time modalities. More 
precisely, we propose a generalisation of this fragment and study the consequences 
in terms of decidability and complexity. 

Considering specification and modelling, the ability of comparing tuples of 
data values arbitrarily is a valuable feature. Unfortunately, this generically 
renders logics on data words undecidable (cf. related work below). We therefore 
extend Freeze LTL by a mechanism for carefully restricting the collections of 
values that can be compared in terms of a dependency relation on attributes. In 
general, this does not suffice to regain decidability of the satisfiability problem. 
Imposing, however, a hierarchical dependency structure such that comparison of 
attribute values is carried out in an ordered fashion, we obtain a strict hierarchy 
of decidable fragments parameterised by the maximal depth of the attribute 
hierarchy. 

Before we exemplify this concept, let us introduce basic notation. Let S be 
a finite alphabet and {A, C) a finite set of attributes together with a reflexive 
and transitive relation Q Q A x A, i.e., a quasi-ordering, simply denoted A if Cl 
is understood. We call our logic LTL^^ and define its syntax according to the 
grammar 

ip-.:=a\-~Lp\ipLg}\l(.(p\ip\]ip\\!"Lp\ f"* 

for letters a € E and attributes x & A. We further include common abbreviations 
such as disjunction, implication or the temporal operators release (tpRi/' := 
^(^(/9U-i^/>)), weak next (Xg; := ^X^g;) and globally (G(/? := falseR(/?). The 
restriction of LTL^^ to a particular, fixed set of attributes {A, C) is denoted 
LTL|^ (or simply LTL^). 

In the following, we explain the idea of our extension by means of an example. 
The formal semantics is defined in Section 2. 

Example 1 . Consider a system with arbitrarily many processes that can lock, 
unlock and use an arbitrary number of resources. A data word over the alphabet 
E = {lock, unlock, use, halt} can model its behaviour in terms of an interleaving 
of individual actions and global signals. The corresponding data valuation can 
provide specific properties of an action, such as a unique identifier for the involved 
process and the resource. Let us use attributes A = (pid, res} and interpret data 
values from A as IDs. Notice that this way, we do not assume a bound on the 
number of involved entities. 

Consider now the property that locked resources must not be used by foreign 
processes and all locks must be released on system halt. To express this, we need 
to store both the process and resource ID for every lock action and verify that a 
use involving the same resource also involves the same process. As mentioned 
earlier, employing a too liberal mechanism to store multiple data values at once 
breaks the possibility of automatic analysis. In our case, however, we do not 
need to refer to processes independently. It suffices to consider only resources 
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lock lock use unlock unlock 
(res) 1 2 2 2 1 

(pid) 1111 1 


lock lock use unlock halt unlock 
1 3 3 3 9 1 

12 118 1 


Figure 1: The left word satisfies the formula from Example 1 whereas every 
strict prefix does not. The right word violates the property because at position 
3 use holds and the value of res matches the one stored at position 2 but the 
whole valuation (3,1) differs from (3,2), so the check f'”'' fails. Moreover, halt 
occurs before (1,1) was observed again in combination with unlock. 


individually and formulate that the particular process that loeks a resource is the 
only one using it before unlocking. This one-to-many correspondence between 
processes and resourees allows us to declare the attribute pid to be dependent on 
the attribute res and formulate the property by the formula 

G(lock^;P'^((use t"''') A-halt)U(unlock At"'''))- 

The freeze quantifier stores the current value assigned to pid and also 
implicitly that of all its dependencies, res in this case. The check operator f®, 
for an attribute x & A, then verifies at some position that the current values 
of X and its dependencies coincide with the information that was stored earlier. 
Also, properties independent of the data can be verified within the same context, 
e.g., ^halt for preventing a shut down as long as any resouree is still locked. See 
Figure 1 for example words. 

Using this extended storing mechanism, we can select the values of the two 
attributes and identify and distinguish positions in a data word where both 

), a particular one of them or a global signal (e.g., halt^ occurs. In 

contrast to other decidable fragments of Freeze LTL, we are thus able to store 
collections of values and can compare individual values across the hierarchy of 
attributes. This allows for reasoning on complex interaction of entities, also 
witnessed by the high, yet decidable, complexity of the logic. 

Outline and results. We define the semantics of LTL^^ in Section 2 gener¬ 
alising Freeze LTL based on quasi-ordered attribute sets. We show that every 
fragment LTL^ is undecidable unless A has a tree-like structure, formalised as 
what we call a tree-quasi-ordering. 

Section 3 is devoted to nested counter systems (NCS) and an analysis of their 
coverability problem. We determine its non-primitive recursive complexity in 
terms oi fast-growing complexity classes [Schl3]. These classes Fq, are indexed 
by ordinal numbers a and characterise complexities by fast-growing functions 
from the extended Grzegorczyk hierarchy (details are provided in Section 3). We 
show that with increasing nesting level coverability in NGS exceeds every class 
Fq, for ordinals a < Sq. By also providing a matching upper bound, we establish 
the following. 

Theorem 2 (NGS). The coverability problem in NCS is ¥ 1 ,^-complete. 
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We consider the fragment in Section 4. It restricts the available 

dependency relations to tree-quasi-orderings. By reducing the satisfiability prob¬ 
lem to NCS coverability, we obtain a precise characterisation of the decidability 
frontier in LTL^q. Moreover, we transfer the lower bounds obtained for NCS to 
the logic setting. This leads us to a strict hierarchy of decidable fragments of 
LTLj^q parameterised by the depth of the attribute orderings and a completeness 
result for LTL^^^. 

Theorem 3 (LTL^q). The satisfiability problem of 

• LTL^ is decidable if and only if A is a tree-quasi-ordering. 

• LTL\qg is Fgg-complete. 

Related work. The freeze [Hen90] mechanism was introduced as a natural 
form of storing and comparing (real-time) data at different positions in time 
[AH94] and since studied extensively in different contexts, e.g., [Gor96, Fit02, 
LP05]. In particular linear temporal logic employing the freeze mechanism over 
domains with only equality, i.e., data words, was considered in [DLN05] and 
shown highly undecidable (S}-hard). Therefore, several decidable fragments were 
proposed in the literature with complexities ranging from exponential [Laz06] 
and double-exponential space [DFP13] to non-primitive recursive complexities 
[DL09]. For the one-register fragment LTLj that we build on here, an upper 
bound was given in [Figl2]. Due to its decidability and expressiveness, it is 
called in [DL09] a “competitor” for the two-variable first-order logic over data 
words FO^(~, <,-1-1) studied in [BDM+11]. There, satisfiability was reduced to 
and from reachability in Petri nets in double-exponential time and polynomial 
time, respectively, for which recent results provide an F^s upper bound [LSI5]. 

Our main ambition is to incorporate means of storing and comparing col¬ 
lections of data values. The apparent extension of storing and comparing even 
only pairs generically renders logics on data words, even those with essential 
restrictions, undecidable [BOM"*"!!, KSZIO, DHLT14]. This applies in particular 
to fragments of LTL^ [DFP13]. 

The logic Nested Data LTL (ND-LTL) studied in [DHLT14] employs a navi¬ 
gation concept based on an ordered set of attributes. It inspired our extension 
of Freeze LTL but in contrast, data values in ND-LTL are not handled explicitly, 
resulting in incomparable expressiveness and different notions of natural restric¬ 
tions. While ND-LTL also features a freeze-like mechanism, it does not contain 
an explicit check operator (f). Instead, data-aware variants of temporal opera¬ 
tors such as U“ express constraints (only) for position where the stored value 
is present. For example, an ND-LTL formula G(lock —> 4,'^'^(^haltU“ unlock)) 
(in notation of this paper) requires that for every position satisfying lock there 
is a future position unlock with the same data value and that ^halt holds (at 
least) on all those position in between that also carry this particular value. In 
contrast, G(lock — > ),'’'‘^(^haltU(unlock A f’”''))) asserts that at all position in 
between ^halt holds. Enforcing such constraints in ND-LTL typically requires 
an additional level of auxiliary attributes. 

The future fragment ND-LTL’*' was shown decidable and non-primitive 
recursive on finite A-attributed data words for tree-(partial-)ordered attribute sets 
A. However, no upper complexity bounds were provided and the developments 
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in this paper significantly raise the lower bounds (cf. Section 5). The influence 
of more general attribute orderings, in particular the precise decidability frontier 
in that dimension, was not investigated for ND-LTL and its fragments. Instead, 
the logic was shown undecidable by exploiting the combination of future- and 
past-time operators. Extending LTL^ with past-time operators is also known to 
lead to undecidability. ND-LTL+ stays decidable even on infinite words, which 
is not the case for LTLj^q since satisfiability of LTL^ is already nj-complete 
[DL09]. 

2 Semantics and Undecidability of LTL^^ 

By specifying dependencies between attributes from a set A in terms of a quasi¬ 
ordering Q C A X A the freeze mechanism can be used to store the values of 
multiple attributes at once. The essential intuition for our generalised storing 
mechanism can well be obtained from the special case of a linearly ordered 
attribute set [A:] = {!,..., fc} with the natural ordering < for some natural 
number k € N. In fact, many of the technical developments in this paper 
concerning decidability and complexity are carried out within this setting but for 
concise presentation we only provide the most general formulation that captures 
also the undecidable case. 

The valuations d G in a [fc]-attributed data word are essentially sequences 
(or vectors) di...dk where the x-th position carries the value dx = d(a;) of 
attribute x G [fc]. Note that Example 1 matches that setting when renaming res 
to 1 and pid to 2. 

In a formula the subformula (/? is evaluated in the context of the current 
value d(a;) of the attribute x G A and the values d(y) of all smaller attributes 
y < X. Thus, the prefix di.. .dx of the value sequence at the current position is 
stored for later comparison. A check operator then compares the stored values 
di -. .dx to the values d[... d'y at the current position: the check is successful if 
the latter sequence is a prefix of the former, i.e. y < x and di.. .dy = d[.. .d'y. 

For the general setting of arbitrary (quasi-ordered) dependency relations 
{A, C), we lift the notion of the prefix of length x to the restriction of a valuation 
d : A —> A to the downward-closure cl(a;) = {y G A \ y \Z x} oi x m. A. This 
restriction is defined as dj^, : cl(x) —> A with d|a;(y) = d(j/) for ylGx. We denote 
the set of all such partial data valuations by A^ = {d : cl(a;) —> A | x G A}. 

Partial valuations d, d' G A(j) are compared in analogy to sequences: it must 
be possible to map one onto the other such that ordering is preserved and all 
values coincide. Formally, we define an equivalence relation ~ C A^ x A)) 
by d ~ d' if and only if there is a bijection h : dom(d) —)■ dom(d') such that, 
for all attributes x G dom(d) we have d(x) = d'(/i(x)) and, for all attributes 
y G dom(d), x ^ y ^ h{x) 'O h{y). Notice that this requires the domains of d 
and d' to be isomorphic. In the definition presented next we therefore allow 
for restricting the stored valuation arbitrarily before it is matched against the 
current one. In the linear case this simply means truncating the stored sequence 
before comparison and intuitively it allows for removing unnecessary information 
from the context. 

Semantics of LTL^^. For a non-empty data word w = (oi, di)... (a„, d„) G 
(S X A"^)+, an index 1 < i < n in w and a partial data valuation d G A)) the 
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semantics of LTL^ formulae is defined inductively by 
{w,i,d) \= 

{w,i,d) \= :<J4> {w,i,d)^(p 

{w,i, d) h (f Alp (w, i, d) \= If and {w, i, d) |= ip 

{w, i, d) 1= X :<t^ t + 1 < n and {w, t + 1, d) \= ip 

(w,t,d) '^ip\]ip 3^<k<n ■ iw,k,d) \= Ip a,iidyi<j<k ■ iw,j,d) \= ip 

{w,i,d) \P^ip :<S4> {w,i,di\^)'^ ip 

(w,i,d) ^ :<t^ : d|y ~ dila;. 

For formulae ip where every check operator is within the scope of some 
freeze quantifier the stored valuation is irrelevant and we write w \= ip li 
{w, 1, d) \= ip for any valuation d. 

Example 4. Consider a set of attributes A = {xi, X 2 , X 3 , yi, y 2 } with xi C X 2 E X 3 
and yi E Yi (this is an example for a tree-quasi-ordering, see below), the formula 
^ word w = (oi, di)... (a„, d„). The formula reads as: 
“Store the eurrent values di,d 2 ,dz o/xi,X2,X3, respeetively. Move on to the next 
position. Verify that the stored value di appears in yi and that d 2 appears in Y 2 
until the values di,d 2 ,d^ appear again in attributes xi,X2,X3, respectively.” 

At the first position, the values di = di(xi), d 2 = di(x 2 ) and d^ = di(x 3 ) are 
stored in terms of the valuation d = di |x 3 : {xi, X2, X3} —> A since Xi, X2, X3 depend 
on X3. Assume for the seeond position d2(xi) E di(xi) = di. The formula is 
not satisfied at the second position in the context of d since the only attribute 
p G A such that c\{p) is isomorphic to {xi,X2,X3} is p = X3. Then, however, any 
order preserving isomorphism needs to map Xi G dom(d) to Xi € dom(d2) since 
xi is the minimal element in both domains but d(xi) 7^ d2(xi). The only way 
to not violate the formula is hence that d 2 (yi) = di(xi) and d 2 (y 2 ) = di(x 2 ). 
Then, we can choose p = X 2 and have dj^j — d 2 |y 2 meaning that is satisfied. 

Undecidability. For C = {{x,x) \ x G A} (identity) we obtain the special case 
where only single values can be stored and compared. If |^| = 1 we obtain the 
one-register fragment LTL^. On the other hand, if A contains three attributes 
X, y, z such that x and y are incomparable and x C z A y then storing the value 
of 2 ; also stores the values of x and y. This amounts to storing and comparing the 
set {dx, dy} C A of values assigned to x and y. This is not precisely the same 
as storing the ordered tuple {dx, dy) G A x A but together with the ability of 
storing and comparing x and y independently it turns out to be just as contagious 
considering decidability. 

In [BDM+ll] it is shown that the satisfiability problem of two-variable first- 
order logic over data words with two class relations is undecidable by reduction 
from Post’s correspondence problem. We can adapt this proof and formulate 
the necessary conditions for a data word to encode a solution using only the 
attributes x C z A y. With ideas from [DFP13] we can also omit using past-time 
operators. Moreover, this result can be generalised to arbitrary quasi-orderings 
that contain three attributes x A z A y. 

The absence of such a constellation is formalised by the notion of a tree- 
quasi-ordering defined as a quasi-ordering where the downward-closure of every 
element is totally ordered. This precisely prohibits elements z that depend on 
two independent elements x and y. The definition describes in a general way a 


6 




hierarchical, tree-like structure. Intuitively, a tree-quasi-ordering is (the reflexive 
and transitive closure of) a forest of strongly connected components. 

Theorem 5 (Undecidability). Let (^, E) be a quasi-ordered set of attributes 
that is not a tree-quasi-ordering. Then the satisfiability problem of LTL^ is 
T,i-complete over A-attributed data words. 

See Appendix A for a complete proof. As will be discussed in Section 4, 
tree-quasi-orderings represent not only necessary but also sufficient conditions 
for the logic to be decidable. 


3 Nested Counter Systems 

Nested counter systems (NCS) are a generalisation of counter systems similar 
to higher-order multi-counter automata as used in [BB07] and nested Petri 
nets [LS99]. In this section we establish novel complexity results for their 
coverability problem. A finite number of counters can equivalently be seen as a 
multiset M = {ci : ni,... ,Cm ■ nm} over a set of counter names C = {ci,..., c„}. 
We therefore define NCS in the flavor of [DHLT14] as systems transforming 
nested multisets. 

Let iXft{A) denote, for any set A, the set of all finite multisets of elements of A. 
For fc e N we write [fc] to denote the set {1,..., fc} C N with the natural linear 
ordering <. A k-nested counter system (k-NCS) is a tuple N = {Q, S) comprised 
of a finite set Q of states and a set <5 C (0* ^ Q^) of transition rules. For 

0 < i < k the set Ci of configurations of level i is inductively defined hy Ck = Q 
and Ci-i = Q X 9Jl(Ci). The set of configurations of Af is then Cjg = Co- Every 
element of CV can, more conveniently, be presented as a term constructed over 
unary function symbols Q, constants Q and a binary operator -|- that is associative 
and commutative. For example, the configuration (9o,{('7i)0) • 1) ( 9 i) {( 92 , 0) : 
2 }) ; 2 , (gi,{(( 72 , 0 ) : 2 , ( 93 , {(^ 4 , 0 ) : 1 }) ; 1 }) ; 1 }) can be represented by the 
term qo{qi -\- qi{q 2 -h < 72 ) + qi{q 2 + 92 ) + <?i(g 2 + 92 + 93 ( 94 )))- The operational 
semantics of N is now defined in terms of the transition relation —)■ C Cjg x Cjg 
on configurations given by rewrite rules. For ((go, ■ ■ ■ ,qi), (9o, • ■ • ,9))) € b and 
i,j<k we let 

9o(A1i -|- gi(.. . qi{Xi+i). ..))—> 9o(-’^i + 9i(- • • dji^j+i )...)) 

for any Xh € iM{Ch) where 1 < h < k and = 0 for z -|- 2 < I' < j -|- 1. For 
example, a rule ((90), (9o)) changes the state 90 in the example configuration 
above to q'^. A rule ((90,91), (90,91,92)) adds a state 92 non-deterministically as 
a direct child of one of the states 91 resulting in one of the three configurations 

90(91(92) + 91(92 + 92) + 91(92 + 92) + 91(92 + 92 + 93(94))), 

90(91 + 91(92 + 92 + 92) + 91(92 + 92) + 91(92 + 92 + 93(94))) and 
90(91 + 91(92 + 92) + 91(92 + 92) + 91(92 + 92 + 93(94) + 92))- 

Moreover, a rule ((90,91,93), (90)) would remove specifically and completely the 
sub-configuration 91(92 -f 92 + 93(94)) since it does not match any other one. 
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The remaining cases for transitions, where {!) i < k = j, (2) i = k > j and 
(3) i = k = j, are defined as expected by rules 

qo{Xi + gi(... qi{Xi+i )...)) —^ Qoi^i + Qii- ■ ■ Qk-ii^k + q'k)- ■ ■)) (1) 

Qoi^i + qi{... qk-iiXk + qk)- • ■9o(^i + 9i(- ■ • 9i(-^i+i)- • ■)) (2) 

9o(-^i + 9i(- ■ • <lk-i{Xk + qk)- • ■9o(^i + 9i(- ■ ■ + 9fe)- • ■)) (3) 

respectively, where for (1) we have Xij ^2 = • ■ • = Xk = %■ Note that these cases 

are exhaustive since the nesting depth of terms representing configurations from 
Cjq is at most k. As usual we denote by —>■* the reflexive and transitive closure 
of —)■. By ^ we denote the nested multiset ordering, i.e. M' ^ M iff M' can 
be obtained by removing elements (or nested multisets) from M. Given two 
configurations C, C G Cjq the coverability problem asks for the existence of a 
configuration C” G Cjq with C” > C and C -G* C". 

To establish our complexity results on NCS we require some notions on 
ordinal numbers, ordinal recursive functions and respective complexity classes. 
We represent ordinals using the Cantor normal form (CNF). An ordinal a < eg 
is represented in CNF as a term a = 0 ;“^ + ... + over the symbol ca and 
the associative binary operator + where a > ai > ... > ak- Furthermore, we 
denote limit ordinals by A. These are ordinals such that a + 1 < A for every 
a < A. We associate them with a fundamental sequence (A„)„ with supremum 
A defined by 

n 

^' 

{a + := a+uj^ + ■ ■ ■ + ui^ and (a + )„ := a + 

for ordinals j3 and limit ordinals A'. Then, Sq is the smallest ordinal a such 
that a = w“. We denote the n-th exponentiation of w as i.e. fli := u) and 
:= . Consequently, (n„)m < fin is the m-th element of the fundamental 

sequence of fl„. Given a monotone and expansive^ function h : N —>■ N, a Hardy 
hierarchy is an ordinal-indexed family of functions : N —)■ N defined by 
hP(n) := n, /i“+^(n) := h°‘{h{n)) and h^{n) := h^"'{n). Choosing h as the 
incrementing function H{n) := n + 1, the fast growing hierarchy is the family of 
functions Fa{n) with Fa{n) := 

The hierarchy of fast growing complexity classes Fq, for ordinals a is defined 
in terms of the fast-growing functions Fa- We refer the reader to [Schl3] for 
details and only remark that F is the class of primitive recursive problems 
and problems in F(^, are solvable with resources bound by Ackermannian 
and Hyper-Ackermannian functions, respectively. The fact most relevant for our 
classification is that a basic Fc,-complete problem is the termination problem 
of Minsky machines Ni where the sum of the counters is bounded by FcdAdj) 
[Schl3]. 

Upper bound. To obtain an upper bound for the coverability problem in 
/c-NCS we reduce it to that in priority channel systems (PCS) [HSS14]. PCS 
are comprised of a finite control and a fixed number of channels, each storing 
a string to which a letter can be appended (write) and from which the first 
letter can be read and removed (read). Every letter carries a priority and can 

function f : A ^ A over an ordering ( A , <) is monotone if a < a' => /(a) < f { a ') and 
expansive if a < /(a) for all a , a ' S A . 



be lost at any time and any position in a channel if its successor in the channel 
carries a higher or equal priority. PCS can easily simulate NCS by storing and 
manipulating an NCS configuration in a channel where a state q at level i > 0 in 
the NCS configuration is encoded by a letter (q, k — i) with priority k — i. E.g., 
the 3-NCS configuration 9o(9i+ 9 i( 92 + < 72 ) +'Zi('Z 2 + 92 + 93 ( 94 ))) can be encoded 
as a channel of the form ( 91 ,2)(9i, 2)(92,1)(92, l)(9i, 2)(92,1)(92,1)(93,1)(94,0) 
while 9 o is encoded in the finite control. 

Taking the highest priority for the outermost level ensures that the lossiness 
of PCS corresponds to descending with respect to ^ for the encoded NCS 
conhguration. Thus the coverability problem in NCS directly translates to that 
in PCS. The coverability (control-state reachability) problem in PCS with one 
channel and k priorities lies in the class [HSS14] and we thus obtain an 
upper bound for NCS coverability. See Appendix B.l for further details. 

Proposition 6. Coverability in k-NCS is in Fnjfc • 

Lower bound. We can reduce, for any A: > 1, the halting problem of 
bounded Minsky machines to coverability in fc-NCS with the number of states 
bounded by / -I- c, for some constant c. This yields the following characterisation 
(recall that = F(o^),). 

Theorem 7. Coverability in [k + 1)-NCS is F^^^-hard. 

The idea is to construct a fc-NCS N = {Q, 5) that can simulate the evaluation 
of the Hardy function H°'{n) for a < {ftk)i in forward as well as backward 
direction. It can then compute a budget that is used for simulating the Minsky 
machine. Lower bounds for various models were obtained using this scheme for 
Turing machines [CS08, HSS14] or Minsky machines [SchlO, RV14]. 

The following construction uses fc -I- 1 levels of which one can be eliminated 
later. We encode the ordinal parameter a of H°‘{n) and its argument n G N 
(unary) into a configuration 

n 

Ca,n ■= main(s(MQ) -|- c(l -b ... + 1 )) 

using control-states main,s,c,w e Q and conhgurations defined by Mq := 0 
and := uj{Ma) + Mp. For example, an ordinal a = -b -b -b 1 is 

encoded by 

Ma = {(w, {(w, {(w, 0) : 1}) : 1}) : 1, (w, {(w, 0) : 2}) : 2, (w, 0) : 1} 

Note that we use shorthands for readability, e.g., stands for where 1 
is again short for the ordinal w®. The construction has to fulfil the following 
two properties. As NCS do not feature a zero test exact simulation cannot be 
enforced but errors can be restricted to be “lossy”. 

Lemma 8 . For all configurations Ca,n —>■* Ca',n' we have H°'{n) > i7“ (n'). 

The construction will, however, admit at least one run maintaining exact 
values. 

Lemma 9. If H°‘{n) = H°‘ {n') then there is a run Ca^n —>■* Ca',n'- 
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The main challenge is simulating a computation step from a limit ordinal 
to an element of its fundamental sequence, i.e., from Ca+\,n to Ca+\„,n and 
conversely. Encoding the ordinal parameter using multisets loses the ordering of 
the addends of the respective CNF terms. Thus, instead of taking the last element 
of the CNF term we have to select the smallest element, with respect to of 
the corresponding multiset. To achieve that, we extend NCS by two operations 
cp and min. Given some conhguration C = qi{q 2 {M)) G Cjq- the operation 
(<Zi, 92)cp((;'i, ( 72 ) copies M resulting in C = gj+ 'Z 2 (-^ 2 )) with Mi, M 2 ^ 
M. Conversely, given the configuration C' the operation {q'i,q 2 )m±ii{qi,q 2 ) 
results in C with M ^ Mi, M 2 . 

Both operations can be implemented in a depth first search fashion using the 
standard NCS operations. Based on them the selection of a smallest element 
from a multiset can be simulated; all elements are copied (non-deterministically) 
one by one to an auxiliary set while enforcing a descending order. Applying the 
min operation in every step ensures that we either proceed indeed in descending 
order or make a “lossy” error. We guess, in each step, whether the smallest 
element is reached and in that case delete the source multiset. Thereby it is 
ensured, that the smallest element has been selected or, again, a “lossy” error 
occurs such that the selected element is now the smallest one. The additional 
level in the encoding of Ca,n enables us to perform this deletion step. 

A similar idea to select a smallest ordinal from a multiset is used in [RV14]. 
However, we need to handle nested structures of variable size correctly whereas 
in this work the considered ordinals are below fla. They are represented by 
a multiset of vectors of fixed length where the vectors can be compared and 
modified directly in order enforce the choice of a minimal one. 

We now construct an NCS simulating an i7“(s)-bounded Minsky machine 
M of size s := \M\ analogously to the constructions in [SchlO, CS08, HSS14]. 
It starts in a configuration Ca,s to evaluate H°‘{s). When it reaches Co.n for 
some n < H°'{s) it switches its control state and starts to simulate A4 using 
n as a budget for the sum of the two simulated counters. Zero tests can then 
be simulated by resets (deleting and creating multisets) causing a “lossy” error 
in case of an actually non-zero counter. When the simulation of A4 reaches a 
final state the NCS moves the current counter values back to the budged counter 
and performs a construction similar to the one above but now evaluating i/“(s) 
backwards until reaching {Ca^sY, the initial configuration with a different control 
state. If {Ca^sY can be reached (or even covered) no “lossy” errors occurred and 
the Minsky machine A4 was thus simulated correctly regarding zero tests. The 
detailed construction is presented in Appendix B.2. 

4 From to NCS and Back 

Theorem 5 established a necessary condition for LTL^ to have a decidable satisfi¬ 
ability problem, namely that A is a tree-quasi-ordering. In the following we show 
that this is also sufficient. Let LTL^^q denote the fragment of LTL;!^ restricted 
to tree-quasi-ordered sets of attributes. The decidability and complexity results 
for NCS can be transferred to LTL^^g to obtain upper and lower bounds for the 
satisfiability problem of the logic. 

We show a correspondence between the nesting depth in NCS and the depths 
of the tree-quasi-ordered attribute sets that thus constitutes a semantic hierarchy 
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Figure 2; Example of a guarantee forest of depth 3 maintained and modified by 
the NCS constructed for some LTLjgj formula. Node enumeration (grey) is only 
for reference. 


of logical fragments. We provide the essential ideas in the following and refer 
the reader to Appendix C and D for the detailed constructions. 

The depth of a finite tree-quasi-ordering A is the maximal length k of strictly 
increasing sequences xi X 2 Cl ... C Xfe of attributes in A. The first observation 
is that we can reduce satisfiability of any LTL^^g formula over attributes A to 
satisfiability of an LTLj'^j formula where [A:] = {1,..., fc} is an initial segment of 
the natural numbers with natural linear ordering and k is the depth of A. 

Proposition 10 (LTL^^q to LTLI^j). For a tree-quasi-ordered attribute set A 
of depth k every LTL^ formula can be translated to an equisatisfiable 
formula of exponential size. 

To reduce an arbitrary tree-quasi-ordering A of depth k we first remove 
maximal strongly connected components (SCC) in the graph of A and replace 
each of them by a single attribute. This does only affect the semantics of formulae 
ip if attributes are compared that did not have an isomorphic downward-closure 
in A. These cases can, however, be handled by additional constraints added to 
ip. Data words over a thus obtained partially ordered attribute set of depth k 
can now be encoded into words over the linear ordering [A:] of equal depth k. 
The idea is to encode a single position into a frame of positions in the fashion 
of [KSZIO, DHLT14]. That way a single attribute on every level suffices. Any 
formula can be transformed to operate on these frames instead of single positions 
at the cost of an at most exponential blow-up. 

From LTL|-^j to NCS. Given an LTL|-^j formula we can now construct 
a (A: -I- 1)-NCS J\f and two configurations Cinit,Cfinal G Cjq- such that <& is 
satisfiable if and only if Cfinal can be covered from Cmit- 

The idea is to encode sets of guarantees into NCS configurations. These 
guarantees are subformulae of $ and are guaranteed to be satisfiable. The 
constructed NCS can instantiate new guarantees and combine existing ones while 
maintaining the invariant that there is always a data word lu € (E x A[^1)+ that 
satisfies all of them. To ensure the invariant, the guarantees are organised in a 
forest of depth k as depicted in Figure 2. 

All formulae ip contained in the same node v of this forest are moreover not 
only satisfied by the same word w but also with respect to a common valuation 
d„ e i.e., (ri;,l,d^) \= ip. Recall that valuations over linearly ordered 


11 



attributes can be seen as sequences. The forest structure now represents the 
common-prefix relation between these valuations d„. For two nodes v, v' having 
a common ancestor at level i € [k] in the forest, the corresponding valuations d^,, 
d„/ can be chosen such that they agree on attributes 1 to i. A uniquely marked 
branch in the forest further represents the valuation di at the first position in 
w. If a formula tp is contained in the marked node at level i in the forest then 
(w,l,di|i) \= tp. In that case (w,l,d) \= IV holds for any d € and the 
formula l^(p could be added to any of the nodes in the forest without violating 
the invariant. Similarly, for a marked node v at level i the formulae f* can be 
added to any node in the subtree with root v. Moreover, other atomic formulae. 
Boolean combinations, and temporal operators can also be added consistently. 
The NCS Ak can perform such modifications on the forest, represented by its 
configuration, by corresponding transitions. 

Example 11. Consider the two guarantee forests depieted in Figure 2 that are 
encoded in configurations C and C of an NCS constructed for some TTLjgj 
formula. The invariant is the existence of a word w = (a, d). .. and valuations 
d„ G A[*1 such that {w, 1, d„) satisfies the formulae in a node v at level i. The 
forest structure relates these valuations to d (nodes marked by </) and each 
other. E.g., (ru, l,d|i) |= (pi, (ru, l,d| 2 ) |= ip 2 ond there is e with e |2 = d |2 
and e(3) 7 ^ d(3) s.t. {w, l,e) \= Let vi,. ..,vg be the nodes of the forest 
(as enumerated in the figure). Several possible operations are exemplified by 
the transition between C and C. The formula can he added to the node vq 
containing the formula ips since that node is checked on level 3. Similarly, there 
is da for node Vg such that d 3 (l) = d(l) and hence (re, da) ^ The formula 

cannot he added to the node vg since it is not below the checked node on 
level two. Consequently, the node can contain Node V 4 on level 2 does 

already contain (p 2 and ipg, meaning they are both satisfied by w and a valuation 
d 4 G A[^1. Hence the same holds for their conjunction. Moreover, W 4 is checked 
and therefore d 4 = d| 2 . This implies that (w, d') ^ i^'P 2 for any d' and that 
the formula can be added to any node in the tree, e.g. v-j. 

Recall that we only need to consider subformulae of $ and thus remain 
finite-state for representing nodes. More precisely, the number of states in M is 
exponential in the size of $ since they encode sets of formulae. 

A crucial aspect is how the NCS can consistently add formulae of the form 
Nip. This needs to be done for all stored guarantees at once but NCS do not 
have an atomic operation for modifying all states in a configuration. Therefore, 
the forest is copied recursively, processing each copied node. The NCS N can 
choose at any time to stop and remove the remaining nodes. That way it might 
loose guarantees but maintains the invariant since only processed nodes remain 
in the configuration. The forest of depth k itself could be maintained by a /c-NCS 
but to implement the copy operation an additional level is needed. 

The initial configuration Cinit consists of a forest without any guarantees. 
In a setup phase, the NCS can add branches and formulae of the form X p since 
they are all satisfied by any word of length 1. Once the formula $ is encountered 
in the current forest the NCS can enter a specific target state qfmai- A path 
starting in Cinit and covering the configuration Cfinal = Qfinal then constitutes 
a model of $ and vice versa. 
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Figure 3: Encoding of a 2-NCS configuration (1.) as [2]-attributed data word 
(r.). Instead of letters from S the encoded tuples of states from Q are displayed 
at every position. 


Theorem 12. For tree-quasi-ordered attribute sets A with depth k satisfiability 
of LTL^j^ can be reduced in exponential space to coverability in {k -\- 1)-NCS. 

From /c-NCS to LTLI^j. Let Af = (Q,S) be a fc-NCS. We are interested in 
describing witnesses for coverability. It suffices to construct a formula that 
characterises precisely those words that encode a lossy run from a configuration 
Cstart to a configuration Cend- We call a sequence CgCi.. .Cn oi configurations 
Cj € Cjq- a lossy run from Cq to C„ if there is a sequence of intermediate 
configurations Cq. .. Cf_i such that Ci F Gi—t Ci+i for 0 < 7 < n. Then Cend 
is coverable from C start if and only if there is a lossy run from C start to some 
Cn F Cfnd- 

A configuration of a Tc-NCS is essentially a tree of depth fc -|- 1 and can be 
encoded into a [A:]-attributed data word as a frame of positions, similar as done 
to prove Proposition 10. We use an alphabet S where every letter a € S encodes, 
among other information, a (fc -I- l)-tuple of states from Q, i.e., a possible branch 
in the tree. Then a sequence of such letters represents a set of branches that 
form a tree. The data valuations represent the information which of the branches 
share a common prefix. Further, this representation is interlaced: it only uses 
odd positions. The even position in between are used to represent an exact 
copy of the structure but with distinct data values. We use appropriate LTL|^j 
formulae to express this shape. Figure 3 shows an example. 

To be able to formulate the effect of transition rules without using past-time 
operators we encode lossy runs reversed. Given that a data word encodes a 
sequence CqCi. . .Cn of configurations as above we model the (reversed) control 
flow of the NCS Af = {Q,S) by requiring that every configuration but for 
the last be annotated by some transition rule tj G <5 for 0 < j < n. The 
labelling is encoded into the letters from E and we impose that this transition 
sequence actually represents the reversal of a lossy run. That is, for every 
configuration Cj in the sequence (for 0 < j < n) with annotated transition 
rule tj there is a configuration Cj_^_^ (not necessarily in the sequence) such that 

For the transition tj to be executed correctly (up to lossiness) we impose 
that every branch in Cj must have a corresponding branch in Cj+i. Yet, there 
may be branches in Cj+i that have no counterpart in Cj and were thus lost 
upon executing tj. Shared data values are now used to establish a link between 
corresponding branches: for every even position in the frame that encodes Cj 
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there must be an odd position in the consecutive frame (thus encoding Cj+i) 
with the same data valuation. To ensure that links are unambiguous we require 
that every data valuation occurs at most twice in the whole word. Depending 
on the effect of the current transition the letters of linked positions are related 
accordingly. E.g., for branches not affected at all by tj the letters are enforced to 
be equal. This creates a chain of branches along the run that are identified: an 
odd position links forward to an even one, the consecutive odd position mimics 
it and links again forward. 

Based on these ideas we can construct a formula satisfied precisely by words 
encoding a lossy run between particular configurations. The size of the formula 
is polynomial in the size of the NCS Af and can be built by instantiating a 
set of patterns while iterating over the transitions and states of Af, requiring 
logarithmic space to control the iterations. 

Theorem 13. The coverability problem of k-NCS can be reduced in logarithmic 
space to satisfiability. 

5 Conclusion 

By Theorem 12 together with Proposition 6 and Theorem 13 with Theorem 7 
we can now characterise the complexity of LTLf^o fragments as follows. 

Proposition 14. Satisfiability of LTL^ over a tree-quasi-ordered attribute set 
of depth k is in Fo 2 (fc^.i) and Fa^-hard. 

Together with Theorem 5 this completes the proof of Theorem 3 stating that 
LTLj^Q is the maximal decidable fragment of LTL^q and Feg-complete. The 
result also shows that the complexity of the logic continues to increase strictly 
with the depth of the attribute ordering. 

The logics ND-LTL^ were shown to be decidable by reduction to NCS 
[DHLT14]. Our results thus provide a first upper bound for their satisfiability 
problem. Moreover, we derive significantly improved lower bounds by applying 
the construction to prove Theorem 13 analogously to ND-LTL+ and, with 
reversed encoding, to the past fragment ND-LTL“. A subtle difference is that 
an additional attribute level is needed in order to express the global data-aware 
navigation needed to enforce the links between encoded configurations. 

Corollary 15. Satisfiability of ND-LTL^ with k + 1 levels is in Fn 2 (;,+i) and 
F -hard. 

PCS were proposed as a “master problem” for Fg^ [HSS14] and indeed our 
upper complexity bounds for NCS rely on them. However, they are not well 
suited to prove our hardness results. This is due to PCS being based on sequences 
and the embedding ordering while NCS are only based on multisets and the 
subset ordering. In a sense, PCS generalise the concept of channels to multiple 
levels of nesting, whereas NCS generalise the concept of counters. Hence, we 
believe NCS are a valuable addition to the list of Fgp-complete models. They 
may serve well to prove lower bounds for formalisms that are like Freeze LTL 
more closely related to the concept of counting. 
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A Undecidability of LTL^^ 

In this section we provide the technical details for establishing undecidability of 
LTL^q. Recall Theorem 5. 

Theorem 5 (Undecidability). Let (^, E) be a quasi-ordered set of attributes 
that is not a tree-quasi-ordering. Then the satisfiability problem of LTL^ is 
T,i-complete over A-attributed data words. 

Semi-decidability is obvious when realising that the particular data values 
in a data word are irrelevant. It sufhces to enumerate representatives of the 
equivalence classes modulo permutations on A. 

We proceed by first establishing undecidability for a base case with three 
attributes and generalise it then to an arbitrary number of attributes. 

A.l Base Case 

Lemma 16. For the quasi-ordered set (^, E) of attributes with A = {x, y,z} 
where x E z □ y and x, y are incomparable the satisfiability problem of LTL^ is 
undecidable. 

We can reduce the undecidable Post’s correspondence problem (PCP) (see, 
e.g., [HMUOl]) to satisfiability of LTL^. We consider an encoding of the problem 
used in [BDM+11]. An instance of PCP is given by a finite set T C E* x 
S* of tiles of the form t = {u,v), u,v G S*, over some finite alphabet E. 
The problem is to decide whether there exists a finite sequence tit 2 .. .t„ = 
{ui,vi){u 2 ,V 2 ).. ■ {unjVn) such that the “u-part“ and the “v-part” coincide, i.e. 
UiU2. . .Un = ViV2. . . U„. 

The idea in [BDM+II] is to encode a sequence of tiles in a word over the 
alphabet EUE, where a distinct copy E := {a | a € E} is used to encode the 
u-part and letters from E encode the u-part. For v = aia 2 ... € E*, € E, 

we let V = did 2 . ... A sequence of tiles {ui,vi){u 2 ,V 2 )... is then encoded as 
viuiV 2 U 2 .. ■ ■ The switched order of encoding a tile (ui, Vi) avoids some edge-cases 
later. 

In our setting we require letters to encode additional information and therefor 
use an alphabet T = (EUE) x 2^^ where AP is a finite set of atomic propositions. 

To show undecidability of the logic it now suffices to construct from an 
arbitrary instance of PCP T a formula that expresses sufficient and necessary 
conditions for a data word (ui, di)(a 2 , d 2 )... € (P x A"^)+ to encode a solution 
to the PCP instance in terms of the projection 0 ( 02 ... G (EUE)+ of w where 
ai = {ai,mi) for some mi G 2^^. 

In order to translate the conditions given in [BDM+Il] in terms of first- 
order logic formulae, past-time operators would be necessary. To avoid these 
we use the following two ideas from [DFP13]. Let, for a sequence of tiles 
{ui,vi){u 2 ,V 2 ). . ■{un,Vn) G T* denote u := uiU 2 ...Un and v := viV 2 ...Vn. 
First, we assume AP to contain two propositions e and o that shall mark even 
and odd positions, respectively, in u and v. Second, we use a variant of PCP 
that imposes additional restrictions on a valid solution tit 2 .. .tn G T*: 

• The initial tile is fixed to ti = t = {u,v) G T with Irtl > 1 and |t)| > 2, 
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• for every strict prefix tit 2 -. - U, i < n, the M-part must be strictly shorter 
than the v part and 

• 1^1 (i.e., the length of the solution) is odd. 

The first condition turns the problem into what is called a modified PCP in 
[HMUOl] and shown undecidable there by a reduction from the halting problem 
of Turing machines. It was observed in [DFP13] that this encoding of Turing 
machines actually guarantees that the length of the u-part is always shorter. As 
pointed out in [BDM+11], the last condition is not an actual restriction because 
adding a tile ($a;, $y) for every tile {x, y) & T yields a PCP instance that has an 
odd solution if and only if the original instance had any solution. 

We can now adjust the set of conditions from [BDM+11] such that they can 
be formulated in LTL^ and impose the additional restrictions on a solution. 

For easier reading, we use letters a € (BUS) in formulae to denote Vp6Ap(®’P) 
and propositions p G AP to denote V(a m)er|pem(®>Also, we use E and 
S to denote the formulae Vaes ® Vses respectively. We write F ip for 
true U ip. 


Global structure. Let AP contain a proposition end that we use to mark the 
end of a sequence of letters that encode a tile. For a tile t = (6i ...&„, oi... a„) € 
T where bi,ai G E let 


pt ■■= /\X*-ia- A /\X 


/ n+m— 1 


n+i —1 


bi A 


^i=i 


Vi=l 


A 

i=l 


X* 


nend AX”+™-iend 


be the formula expressing that the following positions encode the tile t. 

The global structure of a word that correctly encodes a sequence of tiles as 
described above can now be expressed in terms of the following conditions. 


• The word encodes a sequence of tiles from T, starting with i: 

(pf A G(end — > X V ‘Pt) 


(4) 


teT 


The even and odd positions on the substrings u and u of a solution are 
marked correctly with e and o, respectively. For t = (ui,Vi) the formula 

G(eO-o)AoAXl*'ilo, (5) 

expresses the exclusiveness of markings e and o and specihes the first 
w-position and the first M-position in the encoding to be odd. Then, the 
alternation of these markings in the subsequence encoding u is expressed 

by 

G((E A o) ^ X(^EU(E A e) V G(-E))) 

A G((E A e) ^ X(^E U(E A o) V G(^E))) 

and the alternation of markings in the subsequence encoding v by 
G((E A o) ^ X(^EU(E A e) V G(^E))) 

A G((E A e) ^ X(^E U(E A o) V G(^E))) 


( 6 ) 


( 7 ) 


Let <I>T be the conjunction of Formulae 4,5, 6 and 7. 
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Figure 4: Structure of a data word encoding a sequence of tiles with 

ti = {ab,abc), t 2 = {cc^cab), = (a,e). 


Chaining u and v. In order to connect the positions belonging to the subword 
u and the subword v we link consecutive position by a shared data value as 
depicted in Figure 4. 

For the subword encoding u the structure is imposed by the following con¬ 
straints. 

• Each data value occurs at most twice and not in both attributes x and y: 

G(S ^ F f) A - X F(S A f A X F(E A f))) 

AG(S^;y((^Ff) A-XF(SAf AXF(SAf))) 


• At any odd position (except for the last) the data value for attribute x 
occurs again in x at an even future position and the value of attribute y 
does never occur again. At any even position, the same holds vice versa 
for y and x. 


/ (SAoAXFE) ^ (i^F(t’'ASAe)) A^iyXF(f A E) \ 

^l^A (EAe) ^ AEAo)) A-i’'XF(t^A E) ) 

(9) 

The same restrictions can be formulated analogously for the subword that encodes 

V. 


G(E ^ ) A -XF(E A f A XF(S A f))) 

A G(E ^ ((^ F f) A - X F(E A f A X F(E A f))) 

/ (EAoAXFS) ^ (;’'F(fAEAe)) A-iyXF(tM E) \ 

A (SAe) ^ 4 yF(fASAo))A-i’'XF(f A E) y 

Let 4 ’chain denote the conjunction of the formulae from Equations 8 , 9 and 10 . 
To formalise the guarantee on the structure that we obtain from these 
constraints let 

W — Vi - . . Vmi Ui - . . Ufii '^mi + 1 ■ • • • • • '^ni +n2 ■ ■ • 

for Vi,Ui G T X be the encoding of a sequence of tiles tit2 - ■ ■ € T+ with 

w ^ A <I)chain- Further let u = uiU2-■ ■ = (ai, di)(a2, d2)... and v = 
viV2- ■ ■ = (&i, ei)(52,62)... be the subwords of w encoding the M-part and the 
u-part of the tile sequence, respectively. 
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Lemma 17. Let i < k be a position in the subword u of w with length |i6| = k. 

1. If i is odd then di(x) = di_|_i(x). 

2. If i is even then di(y) = di+i(y). 

3. For all positions i,j on u we have (d,(x) = dj(x) A di(y) = dj(y)) =>i = j. 
The same holds analogously for v. 

Proof. Given the formula ‘hy it is easy to see that the even and odd positions in 
the subwords u and v are correctly marked by the respective propositions. We 
present the proof only for u since it is identical for v. 

1.+2.) Assume u has length k. We proceed by induction on the positions i, 
backward from fc — 1 down to 1 . 

Base case i = k — 1. The length k of u needs to be odd, otherwise there is 
no even future position and Formula 9 is violated. Hence i = k — I is even and 
Formula 9 ensures that the value d/j_i(y) is repeated in attribute y, leaving d^ 
as only choice. 

Induction. Assume for i -\-1 < k — \ the statement holds. Assume i is odd. 
Since the position t + 1 exists, by Formula 9 there is a position j > i such that 
di(x) = dj(x). Now for every even j > i + 2 the induction hypothesis holds for 
j — 1, being odd. I.e. dj_i(x) = dj(x). Since the value dj(x) can only occur at 
most twice for x in u (Formula 8 ), we have di(x) 7 ^ dj (x), leaving j = i + 1 as 
only choice. 

Assume i is even. Formula 9 requires that di(y) = dj(y) for some odd j > i. 
Again, for any odd j > i + f the induction hypothesis holds for j — 1 > z +1, being 
even. We have dj_i(y) = dj(y) and thus di(y) 7 ^ d 7 (y) for any odd j > z + 1. 
Therefore only position j = z + 1 remains to carry the same value for y. 

3.) Let di(x) = d 7 (x) and di(y) = dj(y). Assume z is odd. Then, di(x) = 
di+i(x) (see above) and, by Formula 9, : di/(x) 7 ^ di(x). Hence i < j < 

z + 1. Moreover, : di/(y) 7 ^ di(y) and thus j = i. For even i the argument 
holds analogously. □ 

Synchronising u and v. Now that the encoding of u and v is set up, we 
enforce that 

1 . every position in v matches a unique position in u, 

2 . the first v position matches the first u position and 

3. for any two consecutive positions in v the corresponding matching positions 
in u are also consecutive. Finally, 

4. the last position in v matches the last position in u. 

This is accomplished by the formula <i>sync being the conjunction of the three 
formulae 

(i^xHf), ( 11 ) 

/\ G(a^i^(XF(a Af))), (12) 

aeS 

G((EA-XFS) ^;^(XF(t^ A-Xtrue))), (13) 

where v is part of the fixed initial tile t = {u,v). The formula specifies that 
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• each set {ei(x), ei(y)} of values occurring at some position i in u occurs 
again at a position in u with the same (encoded), 

• the data values at the first positions in v and u coincide and 

• the data values at the last positions in v and u coincide. 

For easier reading let (a,d) := (a, d) € E x A for (a, d) e E x A. The 
essential observation is now the following. 

Lemma 18. Let w ^ $ 7 ^ A $cham A d>sync be a data word and w' its projection 
to the alphabet (E U E) x A. Let u = ui... u\u\ cmd v = vi... f|„| be the maximal 
subwords of w' over E x A and E x A, respectively. Then, for all 0 < i < |r!| we 
have i < |u| and Vi = Ui. 

That is, the i-th position in the v-part of w corresponds to the z-th position 
in the zz-part and thus v encodes a prefix of the zz-part. Since the last position 
in V must corresponds to the last position in zz (Equation 13), v and zz must 
encode the same sequence of letters and w therefore a solution to the PCP T. 
On the other hand, given a solution for T, we can easily encode it according 
to the scheme depicted in Figure 4 where corresponding positions in zz and v 
can be linked appropriately. This encoding satisfies (by construction) all the 
constraints imposed by the formulae above. Hence, by proving Lemma 18 we 
complete the proof of Lemma 16. 

Lemma 18. Let zz = (oi, di)... [ai, d^) and v = ( 61 , ei)... ( 6 ^, e^). We proceed 
by induction on i. 

Base case (i = \). For the initial tile t = iu,v) we assumed that |z)| > 1 and 
|zz| > 1 so 1 is a position in zz as well as in v. Equation 11 requires that vi = uj. 

Induction (i > 1). Assume i < |v| is a position in v. Thus, all 0 < j < z 
are positions in v and by the induction hypothesis (IH) also positions in zz with 

Vj = Uj. 

Assume z is odd. We have 

di(y) = d^_i(y) = ei_i(y) = e^y) 

Let Vi = {bi,ei) = {a,ei) for some a € E. By Equation 12 thre must be a 
position Uj = (a^, dj) in u where Oj = a and dj = e^. 

By 4>chain, there can be at most two positions j with dj(y) = ei(y) and we 
have already di_i(y) = di(y) = ei(y). Hence, j € {z,z — 1}. That is, either 
uj = Vi OT Ui-i = Vi. The latter can be excluded since 

_ IH Lem. 17 

Uf—l — '^i—l — 

If z is assumed to be even the same arguments apply when exchanging attribute 
y by attribute x. □ 

Remark 19. Notice that we do not rely on using an until operator. Instead, we 
can replace it by a bounded version U-^ that in turn can be replaced by a finite 
unfolding only using nested X operators. The relevant range can be bound by the 
length of the tiles in T as 

k> 2 ■ max{|r| | 3s(r, s) € T V (s, r) e T}. 
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Thus, we take k to be at least as large as the longest consecutive pair vlUi or 
UiVi+i in the encoding of a solution could possibly be. This is a bound on the 
distance between two position in the encoding that are conseeutive in u or v. 
Henee, only the operators X and F are essential. 

A.2 General Case 

We can now complete the proof of Theorem 5. 

Theorem 5. Lemma 16 established undecidability for the essential case of a 
non-tree-quasi-ordering. It remains to conclude that this results generalises to 
arbitrary non-tree-quasi-orderings. 

Let {A, C) be the quasi-ordering dehned in Lemma 16. First of all, {A, C) is 
not a tree-quasi-ordering since the downward-closure cl(z) of z is not quasi-linear 
(total). Moreover, every non-tree-quasi-ordering (A, C') has a subset that is 
isomorphic to A: By definition A' must contain an element z' of which the 
downward-closure is not quasi-linear and must hence contain two incomparable 
elements x' C z' and y' Q z'. Hence from now on we assume w.l.o.g. that Af- A! 
by identifying x, y, z with x',y', z', respectively. 

We now show that the formula $ constructed to prove Lemma 16 is satishable 
over H-attributed data words if and only if it is satishable when being interpreted 
over H'-attributed data words. 

(=>) Consider an H-attributed data word w satisfying $. Choose a data value 
e G A that does not occur in w and extend w to an A-attributed data word w' 
by assigning e to every attribute p G A'\A dX every position in w'. This does not 
change the satisfaction relation because $ still only uses attributes from A and the 
evaluation of formulae f*" for r G is not affected: For w = (oi, di)... (a„, d„), 
w' = (ai,d()... (a„,d(j), 0 < i < j < n, r' G A we have 

(rc,j,d,i,) i=r' ^ (u;',j,d'i,) i=r'. 

i) Let r = r' G {x,y}. Notice that (w,^,d^jr) \= t*" iff di(r) = dj(r). Then 

di(r) = dj(r) implies that 3p^A' ■ d'|r|p — d'j^ since for p = r the 
restrictions are isomorphic as all other attributes in cl(r) are always mapped 
to e. Conversely, if : d'|r|p — d'then it can only be the case for 

some p such that cl(p) = cl(r). Since dj(( 7 ) = di{q) = e ^ di(r) for all 
q G cl(r) \ {r} the valuations can only be isomorphic if dj (r) = di(r). 

ii) Let r = r' = z. We have that (w,j, d^jz) (= iff di(z) = dj(z) and 
{di(x), di(y)} = {dj(x), dj(y)}. In our case, the models of <E> only admit 
disjoint values for attributes x and y (cf. Formulae 8 and 10 in the proof of 
Lemma 16). Thus, di(x) = dj(x) and di(y) = dj(y). This further implies 
3p^A' '■ d'lzip — d'|z witnessed by choosing p = z since all other attributes 
are evaluated to e by d' and d'. Moreover, the opposite direction holds for 
the same reason. 

hi) Let r' = X and r = y or vice versa. Again {w,j, d^j^) ^ iff di(r) = dj (r'), 
which however, cannot be true due to x and y being assigned disjoint sets 
of values in every model. On the other hand, assume there is p G A' s.t. 
d'lrip — d'I t-'. Clearly the witnessing isomorphism must map r to r' since 
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they are not assigned the value e. Then, however, di(r) = dj(r') which 
violates 

The remaining cases do not occur in $ (and would evaluate to false anyway). 
We conclude that if w is a model for $ then w' is as well. 

(•<=) Consider an ^'-attributed data word w' satisfying and let IS.^' C A be 
an enumerable set of data values not occurring in w' . Let / : ^ A^,/ be 

an injection from the ~-equivalence classes of data valuations to data values 
uniquely representing them. We can then construct an A-attributed model w for 
ip from w' by erasing all attributes except for x, y,z and let di(p) := /([d'|p]~) 
for p G A where [d]^ denotes the ~-equivalence class of a data valuation d. 
Intuitively, at any position in w', we just collapse the structure of data values to 
a single one representing its equivalence class. By similar arguments as above, 
we can again show that 


(u;,j,d,y i=r' ^ (u;',j,d'y i=r'. 

i) For r = r' we have that 3p^A' ■ d'|r-|p — dt|^ iff d'|r ~ dt|'^ iff [d'|r]~ = 
[d'l^]^ iff d,(r) = dj{r). 

ii) For r = X and r' = y or vice versa 3p^A' '■ d'|r|p — dt|^ cannot be true in a 
model for p and this being false implies equally di(r) 7 ^ dj(r'). 

Again, other cases do not apply. □ 
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B Nested Counter Systems 

B.l Upper Bound for NCS Coverability 

Recall Proposition 6 . 

Proposition 6. Coverability in k-NCS is in . 

The statement can be proven by a direct reduction to coverability (equiv¬ 
alently, control-state reachability) in priority channel systems (PCS) that we 
briefly recall from [HSS14] in the following. 

Priority Channel Systems. PCS can be defined over so called generalised 
priority alphabets. Given a priority level d € N and a well-quasi-ordering (P, <r) 
a generalised priority alphabet is a set := {(ojic) | 0 < w < d, w € P}. 
Then, a PCS is a tuple S = (E^^r, Ch, Q, A), where Ch is a finite set of channel 
names, Q is a finite set of control states and AC(5xChx{!,?}x E^y x Q is 
a set of transition rules. The semantics of PCS is defined as a transition system 
over conhgurations Confs := Q x (EJ p)^^ consisting of a control state and a 
function assigning to every channel a sequence of messages (letters from the 
generalised priority alphabet) it contains. A PCS can either execute one of its 
transition rules or an internal “lossy” operation called a superseding step. A 
(writing) transition rule of the form {q,c, !, {a,w),q') is performed by changing 
the current control state q to g' and appending the letter (a, w) to the content of 
channel c. A (reading) transition rule of the form {q, c, ?, (a, w), q') is performed 
by changing the current control state q to q' and removing the letter (a, w) from 
the hrst position of channel c. An internal superseding step is performed by 
overriding a letter by a subsequent letter with higher or equal priority, i.e. the 
channel content (ai,^!)... {ai,Wi){ai+i, Wi+i)... {ak,Wk) with Wi < Wi+i can 
be replaced by (ai, wi)... {a^-i,Wi-i){a^+i,w^+i)... {ak,Wk). 

Encoding. The semantics of NCS is defined in terms of rewriting rules on 
conhgurations represented as terms. A PCS can simulate this semantics by 
keeping the top-level state in its hnite control and storing the term representation 
of the nested multiset (with an additional marker at the end) in a single channel. 
The rewriting rules of the semantics can be applied by alternately reading from 
and writing to that channel. To simulate one step of the NCS the PCS guesses 
the rule that should be applied and then starts to loop one time through the 
channel. Going through the channel, the PCS guesses the positions where the 
rule matches and at the same time writes the corresponding messages back to 
the channel. During one iteration, the PCS has to keep track of hte guessed 
transition and up to which nesting level it already has been applied. 

As PCS are lossy the only objective is to ensure that lossiness with respect to 
the PCS semantics corresponds to descending with respect to ^ for the encoded 
NCS configurations. This can be easily ensured by encoding the nesting structure 
of an NCS conhguration using priorities where the highest priority corresponds 
to the outermost nesting level. E.g., the 3-NCS configuration 

qo{qi + qi{q2 + 92) + 91(92 + 92 + 93(94))) 

can be encoded as 

( 91 ,2)(<71,2)( 92 , 1)(92, l)(9i, 2)(g2,1)(92,1)(93,1)(94,0)($, 2) 
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while qo is encoded using the control state and $ marks the end of the encoding. 
A superseding step then always corresponds to removing an element from an 
innermost multiset. 

Complexity. The above encoding gives us a PCS with k priorities (maximal 
priority d = k — 1), one channel, a number of control states s polynomial in k 
and the number of states and transitions of the NCS and a size of the alphabet 
r linear in the number of the states of the NCS. 

The upper bound on the complexity of PCS control-state reachability is 
proved in [HSS14] by providing a bound on the so-called length function Ls* 

It measures the length controlled bad sequences in the well-quasi-ordered set 
of channel configurations S* p- Specifically, the proof of [HSS14, Corollary 4.2] 
provides a bound on the length function for the well-quasi-ordering p on 
PCS configurations with a single channel: (n). Taking 

into account the control states, following [HSS14, Section 4.3], this yields a 
bound i/(^ 2 fc+i)|r| s (n) on the length function for configurations of the PCS that 
we construct from an NCS as outlined above. The coverability problem of k-NCS 
is hence contained in F(n 2 fc)|r|-i-i- simplicity, we use the larger class in 
the statement of Proposition 6. 
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B.2 Lower Bound for NCS Coverability 

In this section we give the detailed constructions proving Theorem 7 . As we 
have discussed above, we need a construction fulfilling Lemma 8 and Lemma 9 . 

Auxilary operations. To this end, we extend the NCS with two auxiliary 
operations cp and min. The semantics of the operation {qi ,..., qi)cp{q [,..., q'l) 
can be given by the rewriting rule 

+ 52(^2 + ... qi{Xi)) + ( 72(-^2 + • ■ • 

+ <72(^2 + ... qi-i{Xi-i + qi{X"))) 

+ 12(^2 + ■ ■ ■ qi-i{X'i_i + q'i{X')))) 

where X' ^ Xi and X" ^ A/. The operation copies the multiset marked by 
q2,... ,qi “lossily” to a multiset marked by • • • ? 9 ;- Consider the configuration 
91(92(93+ 93)+94(95)) and the copy rule (gi,g2)cp(q'6,97)- The rule would select 
the part 92(93 + 93) and copy it, changing its label to qy and the control state to 
qe resulting in 95(92(93 + 93) + 94(95) + 97(93 + 93))- 

The operation (91,..., qi)m±-a{q[,... ,qi) can be seen as the inverse operation. 
Its semantics can be given by 

91(^1 + 92(^2 + ... qi{Xi)) + 92(^2 + . .. q'i{X[))) 

~^ 9 i(-^i + 92(^2 + ... qi-i(Xi-i)) + 92(^2 + ... q'i_i(X[_i + q'i(X')))) 

where X' < Xi and X' ^ A;'. It deletes the multiset marked by 92,..., 9; and 
replaces the multiset marked by 92,. •., 9) with the minimum of both (or a smaller 
multiset). Consider the configuration 91(92(93 + 94) + 95(93 + qe)) and the rule 
(91,92)min(97, 95). The rule would remove the part 92(93 + 94), replace 95(93 + 95) 
by the minimum and change the control state to q^ resulting in 97(95(93)). Both 
operations can be implemented using standard NCS transition rules and do thus 
not extend the computational power of NCS. 

Implementing cp. A copy rule t = (91,..., qi)cp{q [,..., q)) can be imple¬ 
mented as follows: (The variables and index 9 are universially quantified over 
all states) 

( 9 i,..., 9 /)( 5 (cpii,j^, 92 ,..., 9 /_i,i) 

(cpit,,, 92 , • ■ •, qi-i)S{cp\[ g, 92 ,..., 9 /-i, Oi) 

(cpi^.,, 92 ,..., q'i-i)SicPt^q, 92 , ■ • ■, 9 /'-l, 02) 

(cPt,,, 92 ,..., qi-i,ri ,. •., 7 ’m, Oi)( 5 (cpd( ,j, 92,..., qi-i,ri ,..., r„, 9, Oi) 
(cpdq, , 92 , ■ • •, qi-i,ri, ■■■Xm, 02)(5(cpd( 92,..., 9 i-i, ?’i, •.., ?’m, 9 , 02) 

(cpdj,,, 92 ,..., qi-i,ri ,..., T-m, i, ^m- 5 i)< 5 (cP(,r„+i, 92 ,..., qi-i,ri, ...,rm,q, i) 
(cpt,q, 92 ,..., 9 i-i, ^’1, •.., 7 -m, r„^+i, Oi)( 5 (cput_^, 92 ,..., 9 ;-i, »'i,..., r^, Oi, 9) 
(cput,q, 92 , • ■ •, 9 i-i, ^’1, •.., ?’m, r™+i, 02)(5(cpUt_^, 92,..., 9 ;-i, ’’i,..., 02,9) 

(cpuj^,, 92 ,...,®-i,'ri ,..., , rm+i j i)< 5 (cPi,r„+i, 92 , . . . , 9 i-l, »" 1 , . • . , 7 "™, i) 

(cPi,g, 92 ,..., 9i-i, i)< 5 (cpb, 92 ,..., 9 ;-i) 

(cpft, 92 ,..., 9i-i, Oi)( 5 (cpf(, 92 ,..., 9 ;) 

(cpf't, 92 ,..., 9 i-i, 02 )( 5 ( 9 'i, . • •, 9 /) 
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The construction works in a depth-first-search fashion using a symbol i to mark 
the set, that is currently copied (and subsequently deleted), and two symbols 
oi and 02 to mark the two copies, that are currently created. First (the control 
states named cpi) the markings are placed. Then either a new element of the 
multiset marked by i is selected, corresponding, new multisets are created under 
Oi and 02 and all markings are moved inwards (cpd-states) or copying of multiset 
marked by i has been completed, the multiset is deleted, and the markings 
are moved back outwards (cpu-states). When the markings are back on the 
outermost level, the copy process has been completed and the markings can be 
replaced (cpf-states). 

Implementing min. A minimum rule t = (qi,..., qi)m±'D.(q [,..., q'^) can be 
implemented in a similar fashion: 

(gi,..., qi)6{m\n\t,gi,q2 ,. •., qi-i,\i) 

(minit,,, ^2,..., g;') 5 (mini( • • •. ft'-i. b) 

(mini' 52 , • • •. 9;-i)^(mint,,, 52 , • • •, 9 ;-i, o) 

(mint,,, 52, ■ ■ •, •. ■, r™, o) 5 (mindt,„ 52, • ■ •, ^1, • • •, r™, 5, o) 

(mindt,,, 52 ,..., 5 ;-i,»'i ,..., ii, rm-si)^(mind', 52 ,..., qi-i,ri ,..., r^, 5, ii) 
(mindt,^, 52 ,..., 5 (_i,ri,...,r,„,i 2 , 5 )^(mint,,, 52 ,..., 5 ;-i,»'i,---,'^m, 9 ,i 2 ) 
(mint,,, 52 , • • ■, ft'-i, »"i, ■ • •, ?’m, r^+i, o) 5 (minut,„ 52, • • •, ^1, • ■ •, o, 5) 

(minut,,, 52 , ■ • ■,qi-i,ri ,... ii) 5 (minu(_^^^^, 52 ,... ,5/_i,ri,... ,r„,ii) 

(minu(,j, 52 ,..., 5 (_i,ri,...,rm, 5 , i 2 ) 5 (mint,,, 52 ,..., 5 i-i,?'i,---,'rm,i 2 ) 
(mint,,, 52 , • •. , 5 ;-i, ii)^(minft, 52 , •. • , 5 /-i) 

(minft, 52, • • ■, 9^1, i2)^(minf', 52, • ■ •, 9 /'-i) 

(minfj, 52 ,..., qi_^,o) 5 {q [,..., q'l) 

It follows exactly the same idea, but deletes elements from two marked multisets 
(ii and i2) and only creates elements in one marked multiset (o). 

Hardy computations. Having these auxiliary operations at our disposal, we 
can now give the exact transition rules to implement Hardy computations. The 
encoding of the ordinal parameter a and the natural attribute n of a Hardy 
function H°‘{n) is encoded into transitions as defined above. We have to come 
up with transition rules that allow four kinds of runs 

1. C'a-t-l.n ^ f^a,n+l, 

2. C'q,,„+i —>■* Cq+i,„, 

3 . Ca+\^n C'a-t-A^.n and 

4 . —>■* Ca+\^n 

in order to satisfy Lemma 8 without violating Lemma 9 . 

Case ( 1 ) is straightforward, we only have to remove some element from the 
multiset encoding the ordinal and move it to the multiset encoding the argument: 

(main, s, w)( 5 (Rl, s) 

(Rl, c)( 5 (main, c, 1 ) 
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Case ( 2 ) works just the other way around: 

(main, c, 1)(5(R2, c) 

(R2, s)(5(main, s,uj) 

Case ( 3 ) requires to replace the smallest addend oj^ of a limit ordinal a + oj^ 
with the nth element of its fundamental sequence If /? is a limit ordinal, 

it has to be replaced by / 3 „, i.e. the same process has to be applied recursively. 
Otherwise, the immediate predecessor of / 3 ' + l = f 3 has to be copied n times. The 
states in the following constructions are parametrised by the recursion depth 1 . 


(main, s, a;)(5(R3o, s, ai) 

i i 

(R3i, s',..., s')(5(R3s/, s',..., s', s') 

i i 

(R3si, s, s7T’?~7s)i^)'^(R3sJ, s, s7~?T7s, 02 ) 


(R3sJ, s, s,..., s, ai)cp(R3s(', s', s',..., s', oj) 

i i 

(R3sJ', s, sT^'TTTs, a2)min(R3s;, s, s^^'T'T^, Oi) 


(R3s;, s, oi, w)(5(R3i+i, s, s, oi) 


i i 

(R3s;, s, s7^”?~7sj oi, w)(5(R3cp s, sT^Ts) oi) 

i i 

(R3c/, s, sT^TTTs, ai)cp(R3cJ, s', s',..., s', w) 
(R3cJ, c, l)(5(R3c(', c) 

(R3cJ', c')(5(R3cp c, 1) 
(R3ci,c)(5(R3q,) 
(R3q,,c')(5(R3q(,c) 
(R3q;,s)5(R3q;') 

i I 

(R3q(', s', s',..., s')(5(main, s, , cJ) 


The construction starts selecting the smallest addend, by copying the multiset 
marked by s to the multiset marked by s' in descending order. The descending 
order is ensured using the min operation introduced above. ai and a2 are used 
to mark the currently largest and second largest addend. Once the copying 
process is stopped, ai marks the supposedly smallest addend, the construction 
moves down one level, and repeats this process. This part is implemented using 
the R 3 s-states. Once, a level is reached where the exponent is no longer a limit 
ordinal, one element is removed from the respective multiset (transition from 
R 3 s to R 3 c). Then, the copy operation is used to copy that exponent n times. 
This part is implemented by the R 3 c-states. Finally the multiset from the old 
ordinal is deleted and replaced by the newly computed ordinal (R 3 q-states). This 
construction might make several lossy errors in the sense that they result in a 
smaller ordinal to be computed. E.g. it might not select the smallest addend 
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at the cost of losing all smaller addends or it might stop at a level, where the 
exponent is still a limit ordinal. In this case instead of decreasing it by only one, 
a larger addend will be removed. 

Case (4) can be handled similarly to (3). The construction recursively guesses 
the smallest addend (R4s-states) as before. Then n copies of an addend have 
to be replaced by (R4m-states). This is realised by deleting at most n 

elements in descending order and maintaining their minimum using the minimum 
operation. The construction counts the number of elements actually deleted and 
uses it as the new value for n, ensuring that a lossy error occurs in case less than 
n elements are removed. The exponent is then increased by one and the addend 
is moved to the newly created ordinal. 


(main, s,a;)5(R4o, s, ai) 

i i 

(R4/, s',..., s')5(R4so, s',..., s', s') 

i i 

(R4s;, s, s7~r^Ts, w)5(R4sJ, s, s)~?~7s, 02 ) 

i i 

(R4s), s, sTT'T'TT^, ai)cp(R4sJ', s', s',..., s', w) 

i i 

(R4s(', s, sTT'T'TT^, a2)min(R4s;, s, s7~r~7^, ai) 
(R4si, s, ai,a;)5(R4;+i, s, s, Ui) 

i i 

(R4s;,s,s7^7s,w)5(R4m;,s,s7”?ns, 02 ) 

i i 

(R4m;, s, s7^”?~7^, a2)min(R4m(, s, sTT^'^Ts, Ui) 
(R4m;,c, l)5(R4m",c) 

(R4mJ', c')(5(R4m;, c, 1) 

i i 

(R4mi, s, s)“r~7s. ai)5(R4q,, s, sT^TTTs, oi, w) 


(R4q;, s, s,..., s, ai)cp(R4q;, s', s',..., s', w) 
(R4q:,c)<5(R4q;') 
(R4qr,c')5(R4qr,c) 
(R4qr,s)5(R4qr) 

i I 

(R4q"", s', s',..., s')(5(main, s,uj, .^. ,cJ) 


Finally, observe that for a < {flk)i the innermost (level-fc) exponents of the 
CNF terms that can arise during the computation of H°‘(n) are bounded by I 
because they are only decreased. Hence, using additional states .. ,uj^ G Q 
on level fc — 1 to represent configurations (w, {(w, 0) : i}) by (w*, 0) avoids one 
level of nesting in Af. 
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C From LTLj^^ to Nested Counter Systems 

In this section we provide the technical details of the reduction from the satisfia¬ 
bility problem for LTL^ formulae over tree-quasi-ordered attributes A to the 
coverability problem in NCS. 

C.l Reduction to Linear Orderings 

We recall and prove Proposition 10. 

Proposition 10 (LTL^^^ to LTL|^j). For a tree-quasi-ordered attribute set A 
of depth k every LTL^ formula can be translated to an equisatisfiable 
formula of exponential size. 

Let <1> be an LTL^ formula. To translate <I> into an equisatisfiable LTL|^j 
formula for some k € N we first turn A into a tree-partial-order A! by collapsing 
maximal strongly connected components (SCC) and adjust $ to obtain an 
equisatisfiable formula <!>' over LTL^,. Second, we show how to encode A!- 
attributed data words into [fc]-attributed data words and translate $' to operate 
on this encoding. 

Collapsing SCC. Let C 2 ,i,..., C 2 ,„ 2 , C 34 ,..., ..., C A be all 

maximal strongly connected components in the graph of the tree-quasi-ordering 
(yl, C) of size larger than 1 such that |Cij| = i. I.e., is the j-th distinct 
such component of size i. Notice that all Cij are disjoint since they are max¬ 
imal. Choose some arbitrary Xjj G Cij from each component and remove all 
components from A but for those elements Xij. Thus we collapse all SCC in A 
and obtain a tree-partial-ordering A'. In the formula $ we syntactically replace 
every attribute x € Cij by the corresponding representative Xij and obtain an 
LTL^, formula. 

Due to the semantics of the logic being defined in terms of downward closures 
the only significant change upon collapsing SCC is their size. While the downward- 
closures of two SCCs that have different sizes cannot be isomorphic replacing 
them with a single attribute can make valuations for them equal wrt. We 
therefore add the following constraint to $ disallowing a collapsed model to 
assign the same data value to representatives of SCCs that had different size. 

Compared to the original models of $ this is not a restriction and thus every 
model of $ still induces a model of $' and vice versa. 

Frame encoding. In the following we assume that A is a tree(-partial)- 
ordering, i.e., it does not contain non-trivial SCCs. Let k be the depth of 
A, i.e., the length of the longest simple path starting at some root (minimal 
element). We can pad A, by additional attributes s.t. every maximal path in 
A has length k. The additional attributes added to A this way are not smaller 
than the original ones and hence do not affect the semantics of formulae over A 
except that the new attributes need to be assigned an arbitrary value. Thus, 
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regarding A as a forest, we can assume that every leaf is at level k (roots are at 
level 1). 

Let £i,... ,£n G A be the leafs in A (enumerated in an in-order fashion). 
We use the ideas from [KSZIO, DHLT14] to encode an A-attributed data word 
w = WiW 2 -■ ■ into a [fc]-attributed data word u = UiU 2 -■ ■ where a single 
position in w is represented by a frame of n positions in u. Then, each position 
Wi = (oi, di) in w corresponds to the frame in u. In the z-th 

such frame, each position = (ai,gij) carries the same letter ai as Wi. 

The data valuation g(ij) G at the j-th position in the frame shall represents 
the j-th “branch” of the valuation d^. Thus, let for a leaf £j in A be 

E Xj^2 E ■ • ■ E Xj^k = £j the attributes in c\{£j), representing the branch in 
A from a root to £j. Now for r G [k] we let g(ij){r) = di(a;j_j.) 


Translation. Based on this encoding we can translate any LTL^ formula $ 
to an LTLI^j formula $ that specifies precisely the encodings of models of $. In 
particular, 4) is satisfiable iff is. 

Given the (in-order) enumeration £i,... ,£n G A oi leafs in A and an attribute 
X G A we let sb(a:) = min{r G [n] | a; E £r} denote the smallest index r of a 
branch containing x and lb(a;) = maxjr G [n] \ x 'Q £^'\ the largest such branch 
index. Further, we denote by lvl(a;) = \{x' \Gx' \x' G A}\ its level in A. 

We can assume $ to be in a normal form where every freeze quantifier is 
followed immediately by either an X, X or operator for attributes x,y G A. 
This is due to the following equivalences for arbitrary formulae if, letters a G S 
and attributes x,y G A. 


i^a = a i^Fif 

]Aiyif = if Ip i-^Gip 

i'^^ip = -'i'^ip 4.“(V'U^) 

r(zjAe) = (rv’)A(re) r(^RO 

r(zjve) = (rv’)v(re) 


Ip) V i^XFif 
ii^ip) A i^XG Ip 

(re)v((rv')Arx(zjue)) 

(re)A((rv')vrx(zjRe)) 


We can further assume that for every formula we have sb(a;) < sh{y): if 
X {Z y or X A y we can completely remove the formula, replacing it with a 
contradiction or a tautology, respectively. Otherwise x and y are incomparable. 
Then, if lvl(a;) < lvl(z/) the formula is again false and we can remove it. For 
Ivl(x) = lvl(j/) we have and can swap them if necessary. Finally, if 

Ivl(x) > lvl(t/) there is a unique attribute p Z x with Ivl(p) = Ivl(y) and by the 
definition of the semantics we have . We can thus replace x hy p 

and swap the attributes if necessary. 

Next we extend the alphabet to S' = E x [n]. The attached number is 
supposed indicate the relative position in every frame. This is enforced by a 
formula 


/3i Si A G /\E,-> (XE(_od„+i)A A 


G6H 


ie[n]\{i} 



where E^ for i G [n] stands for the formula Further, we impose that 

models actually have the correct structure and thereby encode an Gl-attributed 
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data word. The formula 


P 2 /\ G((a, i) —>■ X(a, i + 1)) 

(a,2)^2 X [n— 1 ] 


expresses that the letter from S is constant throughout a frame and 

/?3 := /y G (Ei ^ 

x&A 


ensures that the frame consistently encodes a valuation from A'^. Finally, we 
dehne the translation t($) inductively for subformulae of x G A and 
a € E as follows. 


t(rv') 

tiXip) 

t{r) 


X=bG)-i;i''i(^)t(V>) t{a) 

((Ei^t(A))U(EiAt(e))) t(AAO 


t(A) At(0 


We omit the remaining operators since they can be expressed in terms of the 
ones considered above. 

To see that $ := t(d>) A /3i A /32 A /Sa exactly characterises the encodings of 
models of <f> consider the underlying invariant that all subformulae of <f> are 
always evaluated on the first position of a frame except those preceded by a freeze 
quantiher. Those that directly follow a freeze quantiher have the form X^ or 
and are relocated to the hrst position of the successive frame or to the position 
encoding the branch of data values that needs to be checked, respectively. 
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C.2 From LTLJ-j to NCS 

Recall Theorem 12. 

Theorem 12. For tree-quasi-ordered attribute sets A with depth k satisfiability 
of LTL\ can be reduced in exponential space to coverability in {k + 1)-A^C'5'. 

By Proposition 10 it suffices to show that given an LTLI^j formula $ we can 
construct a (fc + 1)-NCS Af and two configurations Cinu, Cfinal € Cm s.t. $ is 
satisfiable if and only if Cfinal can be covered from Cinit- 

The idea is to construct from the LTfij'^j formula $ a (fc + 1)-NCS Af that 
guesses an (abstraction of a) data word re € (S x A^)+ position-wise starting 
with the last position and prepending new ones. Simultaneously, Af maintains 
a set of guarantees for the so far constructed suffix of w. These guarantees 
are subformulae (/? of <I> together with an (abstraction of a) data valuation 
representing the register value under which ip is satisfied by the current suffix 
of w. Guarantees can be assembled to larger formulae in a way that maintains 
satisfaction by the current suffix of w. Then d> is satisfiable if and only if 
there is a reachable configuration of N that contains $ as one of possibly many 
guarantees. 

Normal form. We fix for the rest of this section k gN and an LTL|^j [X,X,U,R 
] formula $ over the finite alphabet E and the data domain A. W.l.o.g. we 
restrict to the reduced set of temporal operators and expect $ to be in negation 
normal form, i.e., negation appears only in front of letters a € E and check 
operators f* for i G [fc]. Further, we assume that every check operator f* occurs 
within the scope of the freeze quantifier of level j > i since otherwise the 
check necessarily fails and the formula can easily be simplified syntactically. Let 
sub(<i)) denote the set of syntactical subformulae as well as the unfoldings of U 
and R formulae. 

State space. For the LTLI^j [X, X, U, R] formula $ we construct a (fc -I- 1)-NCS 
Af<s> = {Q, S) as follows. The state space is defined as Q = Q^tri U Qceii where 

^ctrl — Qadd U t^next U t^setup U t^stor, 

Qadd = {add} X (E U (E X sub(<f>)), 

Qnext = {nexti,next 2 ,copy, copy^JU ({copy} x 

Qsetup — {s6tLJp}, 

= {stor, stor*^, aux, aux*^} and 

Qcell={/,X}X2=^^(^). 

The two outer-most levels (level 0 and 1) of configurations will only use 
states from Q^tri and control the management of the configurations of level 2 
to k below. These configurations only use states from Qceii and implement a 
storage for a tree structure (more precisely, a forest) of depth k represented by a 
multiset of configurations of level 2. Every node in that forest, a cell, stores a 
set of formulae and is checked (/) or unchecked (X). 

Next we define the transition rules C (J. (Q* x Q^). 
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Setup phase. The storage of the initial configuration 


Cinit = setup(stor(gi(... qk-i{qk)-■ ■))) 

with qi = ... = qk = (/, 0) is empty except for a single checked branch of length 
k. We allow the NCS to arbitrarily add new (unchecked) branches and then 
populate the branches with guarantees of the form Xip G sub($). Thus, let 

(setup, stor, qi,..., qi)6{setup, stor, qi,...,q„ g'+i, 

(setup, stor, qi,...,qi, (to, F))(5(setup, stor, qi,... ,q^, {m, F U {X (/?})) 


for all 0 < i < k, ql,...,q^ G Qceii, q'i+i = ■■■ = = (/f, 0), to € 

F C sub($) and Xip G sub($). 

Construction phase. After the initial setup the NCS guesses a letter a G X 
by applying 

(setup)(5((add, a)). 

New atomic formulae can be added by the rules 

((add, a), stor, qi,...,qi, (to, Fj)S{{add, a), stor, qi,... ,qi,{m,F U {a})) 

((add, a), stor, qi,...,q„ (to, Fj)S{{add, a), stor, qi,... ,qi,{m,F U {^&})) 

((add, a), stor, qi,..., q(+i ,..., imj,Fj))6{{add, a), stor, qi,..., qf+i,..., {mj,Fj U {f^})) 
((add, a), stor, qi,..., q^, (X, F))S{{add, a), stor, qi,..., q^, (X, U {^f })) 

and existing formulae can be combined by rules 

((add, a), stor, qi,..., q^, (to, T’ U {v3}))(5((add, a), stor, qi,..., q^, (to, F U {p, ip V r/>})) 

((add, a), stor, qi,..., q^, (to, F U {v3}))(5((add, a), stor, qi,..., q^, (to, F U {p, ip V v?})) 

((add, a), stor, qi,..., q^, (to, F U {p, V'}))(5((add, a), stor, qi,..., q^, (to, F U {p, ip,pA V’})) 

((add, a), stor, qi,..., q,, (to, F U {p, V'}))(5((add, a), stor, qi,..., q^, (to, F U {p, ip, ip A (p})) 

((add, a), stor, qi,..., q,, (/, F U {v3}))(5((add, a, V), stor, qi,..., q^, (/, F U {q?})) 
((add, a, stor, qi,..., q^, (to, F))S{{add, a), stor, qi,..., q^, (to, F U V})) 


((add, a), stor, qi,..., qi, {m, F U {ip V {p A X((/?U V'))})) 

(5((add, a), stor, qi,... ,q^, {m, F U {p\J ip})) 

((add, a), stor, qi,..., q*, (to, FU{ip A{p\/ X((/?R V’))})) 

(5((add, a), stor, qi,..., q*, (to, F U {pRip})) 

for, respectively, F,Fj C sub(<i>), m,mj G {/,X}, 0 < i,j < k, e G [i + 1], 
i < £' < k, qi,...,qk G Qceii, qf+i = i<^,F), 5 G E \ {a} and p,ip,p V ip,ip V 
p,p Aip,ip Ap, P^^^p, Y, a, ^b,p\J ip,pRip G sub(<l>). 
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Advancing phase. To ensure consistency, prepending of X and X operators 
can only be done for all stored formulae at once. This corresponds to guessing a 
new position in a data word, prepending it to the current one and computing a 
set of guarantees for that proceeding position from the guarantees of the current 
position. 

The NCS can enter the advancing phase by the rules 
((add, a))(5(nexti, aux'^) 

for a € E. This also creates an auxiliary storage. Next, the original storage is 
copied cell by cell to the auxiliary storage. Upon copying a cell the formulae 
stored within are proceeded by next-time operators. To this end, for F C sub($) 
we denote by Ux = {Xi^,X(p G sub(<f>) | ip G F}. 

The markings are now utilised as pointers to the cell currently being copied. 
The rules 

(nexti, stor, q(,..., q'()S{copy, stor'^, gf,..., 

for gf = (/,Ui),... = (/,Ffc), = (X,Fi),...,= (X,Ffc), where 

Fi,..., Ffc C sub(<f>), set these pointers to the root of the storage 

To allow the NCS to copy the cells over in a depth-first, lossy manner let 

(copy, sto/, (X, F))5((copy, F), stor, (/, F)) 

((copy, F), aux'^)5(copy, aux, (/, Fx)) 

(copy, stor, qi,..., q^, (/, F'), (X, F))5((copy, F), stor, qi,..., q,, (X, F'), (/, F)) 
((copy, F), aux, qi,..., q,, (/, F'))5(copy, aux, qi,..., q,, (X, F'), (/, Fx)) 

for, respectively, F, F' C sub(<I>), 0 < i < k and qi... ,qi G Qceii- To allow for 
backtracking we let 

(copy, stor, qi,..., q^, (;C, F), (/, F'))(5(copyj,i, stor, qi,..., q^, (/, F) 

(copy^t, aux, qi,..., q^, (;C, F), (/, F'))(5(copy, aux, qi,..., q^, (/, F), (X, F')) 
(copy, stor, (/, F))(5(copyj,i, stor'^) 

(copy^j, aux, (/, F))(5(copy, aux'^, (X, F)) 


for 0 < z < fc, F, F' C sub($) and qi,..., qi G Qceii- 

Finally the original storage can be replaced by the auxiliary one by 

(copy,stor'^)(5(copybJ 
(copyj,(, aux'^)(5(next2, stor) 

The storage is now (partially) copied to the auxiliary storage. To enter the 
construction phase and thereby complete the transition from the old position in 
the imaginary data word to the preceeding position a new checked branch and a 
new letter from E is guessed by 


(next 2 ,stor, (X,Fi),..., (X, F,))(5((add, a), stor, (/,Fi)..., (/,Ffc)) 


for any a G E, 0 < z < fc, Fi,..., Fi C sub($) and Fi+i = ... = F/j = 0. 
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C.3 Correctness 

The NCS Af = (Q,S) that construct above maintains a forest of depth k where 
every node is labelled by a set of subformulae of <f>. Configurations reachable 
from the initial configuration 

Cinit = setup(stor(gi(...( 7 fc_i(( 7 fe)...))) 

with qi = ... = Qk = 0) always have the form qctri{<lsior{X) + X') or 

copyj,((aux'^(X)) where X is a multiset of configurations of level 2 that represents 
a forest Tc of depth fc.Let Vc be the set of nodes and F : Vc ^ their 

labelling by sets of formulae. For a node u € Vc at level i (roots have level 1) in 
Tc we denote by p{v) = Vi.. .Vi the unique path from a root to Vi = v. 

The structure of the forest represents the context in which the individual 
formulae are assumed to be evaluated. To formalise this let con : Vc —)■ A be a 
labelling of Tc by data values called concretisation. Such a labelling induces a 
set GconiTc) C sub(d>) x A'" with (v?, d) € GconiTc) iff 

• ip G F{v) for some node v G Vc with p{v) = vi.. .Vj and 

• d G A^ with d(i) = con{vi) for i G [j]. 

Now, let w = {a, d)^ G (E x A^)+ be a data word. We say that w and a 
configuration C = {qQ,M) are compatible if and only if there is a concretisation 
con : y —>■ A such that 

• for all ((/?, d') G Gcon{Tc) we have [w, 1, d') \= ip (guarantees are satisfied), 

• <Zo ^ {(sdd, 6), (add, b,p) \ b G T, \ {a}, p G sub($)} (letter is compatible) 
and 

• a qo ^ Qnext and vi.. .Vk is the unique path in Tc corresponding to the 
checked cells in G then (con(ui),..., con{vk)) = (d(l),..., d(fc)) (valuation 
is compatible). 

Lemma 20 (Invariant). Let G ^ C' be two configurations reachable from Ginit 
and lu G (E X A^)+ a [k]-attributed data word such that Tc and w are compatible. 
Then there is a [k]-attributed data word w' G (E x A^)+ such that Tc and w' 
are compatible. 

Proof. The initial configuration Gmit does not contain any guarantees and hence 
every data word is compatible with Tc^^^. The only formulae added during the 
setup phase are of the form X p. Thus, every configuration reachable during this 
phase is compatible at least with every data word of length 1. 

Consider a configuration G in the construction phase being compatible with 
a data word w G (E x A^)+ due to a concretisation con. It is easy to see 
that the atomic formulae that can be added are satisfied on w under the same 
concretisation con. Also, the Boolean combinations of satisfied formulae that 
can be added remain satisfied and the folding of temporal operators respects the 
corresponding equivalences. 

A rule adding a formula \f p can obviously only be executed if p is present 
in the marked cell at level i. Since in particular the valuation d of the first 
position of w is compatible with the marking there is {p, d|i) G GconfiTc) and 
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{w, 1, d|i) \= ip. Hence {w, 1, d') \= for valuation d' and IV can be put 
into any cell in Tq without breaking compatibility with w under con. 

Consider a configuration C in the advancing phase. The transition rules 
staying in the phase do not add any new formula to any cell in the storage of 
the configuration and hence any word compatible with C remains compatible. 

Finally, assume that w is compatible with a configuration C due to a con- 
cretisation con : Vc —>■ A and that a transition rule of the form 


(next 2 ,stor, ..., (^f, F;)),5((add, a), stor, (/,Fi)..., (/,i^fc)), 

for a € S, 0 < z < A:, Fi,..., Fi C sub(cl>) and F^+i = ... = F^ = 0, is applied 
to obtain a configuration C'. 

Let (a', d') be the first position of w and di+i, ■ ■. ,dk € A \ img(con) data 
values that are not assigned to any node in Tc by con. We define a new valuation 
d e A^ such that d|i = d'|i and d(j) = dj for i < j < k. Then the word 
(a, d)z(; is compatible with C witnessed by the concretisation con! : Vc —> A 
with con!(v) = con(v) for nodes v G Vc" that were already present in Tc and 
con'{v'j) = dj for the new nodes Vj (i < j < k) created by the rule. □ 

As a consequence of the previous lemma we conclude that if a configuration 
C containing <f> as guarantee is reachable from the initial configuration Cinit 
then it is satisfiable. We allow the NCS to enter a specific target state qfmai 
once the formula <f> is encountered somewhere in the current tree. Thus, a path 
covering Cfinal = qfinal proves $ satisfiable. Conversely, if $ has some model w 
than the NCS Af as constructed above can guess according to the letters and 
valuations along the word and assemble $ from its subformulae. 
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D From NCS to 

We provide the detailed construction to prove Theorem 13. 

Theorem 13. The coverability problem of k-NCS can be reduced in logarithmic 
space to satisfiability. 

Let Af = {Q,S) be a k-NCS. We are interested in describing witnesses for 
coverability. It suffices to construct a formula that characterises precisely 
those words that encode a lossy run from some configuration Cgtart to some 
configuration Cend- We call a sequence CqCi. . .Cn of configurations Cj € Cat 
a lossy run from Cq to Cn if there is a sequence of intermediate configurations 
Cq. .. Cn_i such that Ci ^ C- —>■ Q+i for 0 < i < n, i.e., 

CohC'o^CihC[^ ... ^ Cn-l > C'^_, ^ Cn. 

Then Cend is coverable from Cstart if and only if there is a lossy run from Cstart 
to some Cn ^ Cend- For Af we construct a formula 

— diconf A $flow A d^rn A d^inc A $dec A ^start A d^end- 


where 


• dJconf describes the shape of a word to encode a sequence of configurations, 

• d’flow enforces that in addition to the plain sequence of encoded configura¬ 
tions there are annotations that indicate which transition rule is applied 
and which part of configuration is affected by the rule, 

• <l>rn, $inc, d)dec, encodc the correct effect of transition of the respective 
type (see below), 

• d"start encodes that the encoded run starts with Cstart and 

• ‘I’end encodes that the encoded run ends with some configuration C ^ Cend- 

We omit to construct ^hgtart and $end since it is straightforward given the 
considerations below. For easier reading we use an alphabet of the form S = 2^^ 
where AP is a set of atomic propositions. Formally, every proposition p € AP 
used in a formula below could be replaced by 

V “ 

aG2|pGa 

to adhere to the syntax defined in Section 1. 

D.l Configurations 

A configuration C = {q, M) € Cjq- of some k-NCS Af = {Q, S) can be interpreted 
as a tree T of depth at most fc -I- 1 where the root carries q as label. The children 
of the root are the subtrees ifii i),... jifii „) represented by the configurations 
of level 1 contained in the multiset M. 

Similar to the approach of Proposition 10 we encode such a tree as [fc]- 
attributed data word. We use an alphabet S where every letter a € S encodes a 
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(fc+ l)-tuple of states from Q, i.e., a possible branch in the tree. Then a sequence 
of such letters represents a set of branches that form a tree. The data valuations 
represent the structure of the tree, i.e., which of the branches share a common 
prefix. Two branches represented by positions (a, d), (o', d') € E x A* are 
considered to be identical up to level 0 < z < fc if and only if (d(l),..., d(z)) = 
(d'(l),..., d'(z)). Notice that the tuples of states represented by a and a' must 
also coincide on their z-th prefix if (but not only if) d and d' do. 

For technical reasons we require that positions are arranged such that in 
between two positions representing branches with a common prefix of length i 
there is no position representing a branch that has a different prehx of length i. 
Further, this representation is interlaced: it refers only to odd positions. The 
even position in between are used to represent an exact copy of the structure 
but uses different data values. An example is shown in Figure 3. 

We specify the shape of data words that encode (sequences of) configurations 
by the following formulae. For convenience we assume w.l.o.g. that the NCS 
uses a distinct set of states Qi C Q for each level 0 < i < k that includes an 
additional state —i € Qi not occurring in any transition rule from d. 

• Positions are marked by even/odd. 

(odd —J- X(^odd A Xodd)) A (even cx ^odd) 

• Data values are arranged in blocks. Once a block ends, the respective value 
(valuation prefix) will never occur again (on an odd position). 

/\ i''((XX^f)Aodd) ^^XF(odd A f) (14) 

ie[fc] 

• Positions in the same block on level i carry the same states up to level i. 

/\ /\ (gAi'=XXf)^XX(j 

iG [/c] q^Qi 

• Even positions mimic precisely the odd positions but use different data 
values. 

odd^((/\ goXg)A(i^X^t^)A f\ XXf O X(;'= XXf)) (15) 

q^Q iG[k] 

• State propositions are obligatory and mutually exclusive on every level. 

f A 

\0<i<k qGQi J 

A A A 9 

0 <i<k q,q'GQi\q^q' 

• Branches shorter than k + 1 are padded by states —i € Q. 

( A -*^-*+i) 

A /y (J,^ XXt*) —>■-I — j_|_i A XX-I—i_|_i 
ie[fc-i] 
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• The proposition $ is used to mark the first position of every conhguration 
and can thus only occur on odd positions and the beginning of a new block. 

($ ^ odd) A (4^ XXf) ^ XX^$) 

• Freshness propositions mark only positions carrying a valuations of which 
the prefix of length i has not occurred before. 

/\ 4-XF(f A fresh,) 
ie[fc] 

Let ip be the conjunction of these constraints and <I)conf := % AGp. 

D.2 Control Flow 

To be able to formulate the effect of transition rules without using past-time 
operators we encode the runs reversed. Given that a data word encodes a 
sequence C^Ci.. .Cn of configurations as above we model the (reversed) control 
flow of the NCS M = {Q,S) by requiring that every configuration but for the 
last be annotated by some transition rule tj € <5 for 0 < j < n. 

G(($AXF$) o \/t) (17) 

tes 

Now, the following constraints impose that this labelling by transitions 
actually represents the reversal of a lossy run. That is, for every configuration 
Cj in the sequence (for 0 < j < n) with annotated transition rule tj there is 

a configuration C' (not necessarily in the sequence) such that C -A Cj and 

C A Q+i. 

Marking rule matches. Consider a position Cj in the encoded sequence that 
is annotated by a transition tj = {{qo,..., q^), , q'j)) G 6. In order for 

Cj, tj and Cj+i to encode a correct (lossy) transition hrst of all there must be 
a branch in Cj that matches {qg,... ,qj). We require that one such branch is 
marked by propositions /i... /j: 

/y G > ((X^$) U(even A /^A^)) 

t=((go.. • ■ .9i).(9o.- ■ ■ te[i] 

A {qQ A j+i A ... A fc) U 

This selects a branch of length j in every configuration. An operation that 
affects this branch may also affect other branches sharing a prefix. Thus, they 
are supposed to be marked accordingly. Since a node at some level i G [/c] in 
the configuration tree is encoded by a block of equal data valuations on level i, 
blocks are marked entirely or not at all. 

f\ G(4xXf ^(/, oXX/,)) 
ie[fc] 
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Moreover, at most one block is marked in every configuration frame. 

/\ G((/iAi'=XX-f)^X((-A)U$)) 

ie[/c] 

Now the markers indicate which positions in the word are affected by their 
respective transition rule. Notice, that the even positions are supposed to carry 
the marking. Let d>flow be the conjunction of the three formulae above and that 
in Equation 17. 

D.3 Transition Effects 

It remains to assert the correct effect of each transition rule to the marked 
branches. We distinguish three rule types. Let 

<5™ = {((<?o,---,90,(9o,---, 9D) e (5 I 0 < i < fc} 

be the set of renaming transition rules, 

Sdec = {{{qo,... ,qt,qi+i,... ,qj),{qo, ■ ■ ■ ,q'i)) & S \ 0 < i < j < k} 
be the set of decrementing transition rules and 

^tnc = & S\0<i <j <k} 

be the set of incrementing transition rules. Then S = dm U 6 dec U Sine- 

Renaming rules. Let 

d>rn = /\ G(t^copy(go, •■•,<?*))■ (18) 

■ ■ ,9i),(?0’' • ■ .<?D)6'5T-n 

The formula specifies that whenever a configuration is supposed to be obtained 
from a configuration Cn+i using a renaming transition rule t € dm then every 
branch in is also present in Cn+i- Moreover the states ( 7 g,...,g' in the 
marked branch should be replaced by q^,... ,qi. 

The idea to realise this is to use the interlaced encoding of configurations 
to link (identify) branches from a configuration Cn with the configuration C„+i 
in the sequence represented by a potential model. We consider a branch in Cn 
linked (on level i G [fc]) to a branch in Cn+i if the corresponding even position in 
Cn and the corresponding odd position in Cn+i carry the same valuation (up to 
level i). Since valuations uniquely identify a particular block (Equation 14) the 
following formula enforces for a position that there is a corresponding position 
in a unique block at level i of the next configuration where additionally Lp is 
satisfied. 

Iink,((p) =f'=((^$)u($A ((X^$)U(f A odd A (/?)))). 

For i = k a block represents an individual branch in a configuration and the 
formula linkfe((/?) enforces that there is a unique corresponding branch in the 
consecutive configuration. 
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The even positions in turn mimic the odd ones using different data values 
(Equation 15). Thereby we can create a chain of branches that are linked and 
thus identified. We use this to enforce that for renaming transition rules, each 
branch present in a configuration Cn will again occur in Cn+i ensuring that the 
sequence is “gainy” wrt. the branches—and hence lossy when being reversed. 

Using this we define the copy formula in Equation 18 as 


copy{qo,... ,q^) 


/ 

^ linkfc(go) A ( /y (/^ -> linkfc(g£)))\ \ 


£e[i] 


A /\ i A q)->■ Wnkkiq) 

V 

\ e&lk],qGQe J J 


Decrementing rules. We address this case by the formula 


^dec — 


A 


G\t-^ 


copy{qo,...,q^y 
A newyqo,...,qj) 


(19) 


• • ,qj),{qo,. . . ,qi))^Sdec \ 

where i < j and 

newi{qo, ...,qj) = (^X$)U(/i A link^(freshi+i A qo A ... A qj)) 


ensures that a configuration Cn+i actually contains a branch that can be removed 
by a decrementing rule t G 6dec rule to obtain Cn- 


Incrementing rules. For the remaining case let 

^inc — A G ^ copyButj(go, ..■,qi) A zero*) (20) 

t=((9o,. ■ ■ ,9i).(<Zo.. ■ ■ ,«'))6Anc 

where i < j, 

zeroj = (X^$) U(/j A —^) 

j<i<k 

asserts that the new branch that is created by an incrementing rule t G Sine does 
not contain more states than explicitly specified in t. Recall that Equation 16 
ensures that the propositions —e for £ G [fc] can only appear if there are no actual 
states below level t' — 1 in the tree structure of the corresponding configuration. 
Finally, the formula 


copyButj((7o,...,g*) = 


/ 

(even A ^/j) 

V 


/ linkfe(9o) A ( linkfc(( 7 <>)))\ \ 

eeli\ 


V 


A /\ i A q)Wnkkiq) \ \ 

eelk],qeQi / J 


U$. 


is similar to the copy formula above but omits to copy the particular branch 
that was created by the incrementing rule. 
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